Custom rules
86 views
Skip to first unread message
Draenoel Leonard
Dec 30, 2021, 11:05:02 AM12/30/21
to Wazuh mailing list
Hello,
I am currently attempting to set up a custom rule with a matching statement to ignore a rule when a certain criteria is met. example:
<rule id="999981" level="0">
<if_sid>80711</if_sid>
<match>match1</match>
<description>Description1</description>
</rule>
<if_sid>80711</if_sid>
<match>match1</match>
<description>Description1</description>
</rule>
My question. Am I able to have two matching statements that work together to fit the criteria? I want the rule to trigger when the alert has both "match1" and "match2"
Thanks for any help!
Gloria Daniela Sanchez
Dec 30, 2021, 12:30:42 PM12/30/21
to Wazuh mailing list
Hi, Hope you're having a good day so far!
In order to have two matching statements you can use <match>match1|match2</match> in your rule.
Here you have the custom rule documentation in case you need more information.
I hope the answer helps you!
Regards
In order to have two matching statements you can use <match>match1|match2</match> in your rule.
Here you have the custom rule documentation in case you need more information.
I hope the answer helps you!
Regards
Draenoel Leonard
Dec 30, 2021, 3:08:07 PM12/30/21
to Wazuh mailing list
Thank you for the Reply Daniela,
Quick question just to verify.
Quick question just to verify.
Is the format you've presented with the vertical bar going to trigger if match1 AND match2 are present? or is it going to trigger needing only 1 or 2.
Thanks again.
Juan Carlos Tello
Aug 8, 2022, 4:31:45 AM8/8/22
to Draenoel Leonard, Wazuh mailing list
Hello Draenoel,
In the case of <match>match1|match2</match> it will only need to find the either string ( match1 or match2).
In order to have an AND condition you can use <regex> instead of <match>:
<rule id="100002" level="3">
<regex>match1\.*match2|match2\.*match1</regex>
<description>Match events with both strings match1 and match2</description>
</rule>
<regex>match1\.*match2|match2\.*match1</regex>
<description>Match events with both strings match1 and match2</description>
</rule>
or a pair of parent/child rules:
<rule id="100002" level="0">
<match>match1</match>
<description>match events with string match1</description>
</rule>
<rule id="100003" level="0">
<if_sid>100002</if_sid>
<match>match2</match>
<description>match events with both strings match1 and match2</description>
</rule>
<match>match1</match>
<description>match events with string match1</description>
</rule>
<rule id="100003" level="0">
<if_sid>100002</if_sid>
<match>match2</match>
<description>match events with both strings match1 and match2</description>
</rule>
I hope you still find this helpful, please don't hesitate to ask more questions if you have them.
Best Regards,
Juan C. Tello
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6ff93d50-d4df-427e-9502-3f5ab046ea83n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages