False Positive
128 views
Skip to first unread message
Furkan İzci
Nov 19, 2024, 1:33:12 AM11/19/24
to Wazuh | Mailing List
Hi,
I want to stop the false positive alert created by Google Chrome. However, the numbers at the end of the 'chrome_Unpacker_BeginUnzipping' folder change every time. How can I create a rule that applies without including the changing numbers, so that the rule would be something like 'C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping.................'?
I want to stop the false positive alert created by Google Chrome. However, the numbers at the end of the 'chrome_Unpacker_BeginUnzipping' folder change every time. How can I create a rule that applies without including the changing numbers, so that the rule would be something like 'C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping.................'?
Bony V John
Nov 19, 2024, 6:09:31 AM11/19/24
to Wazuh | Mailing List
Hi Furkan Izci,
To avoid false positive alerts generated by Google Chrome, you can create a rule like the one below. If the rule with ID #### (the Rule ID of the alert mentioned in the screenshot) is triggered, it will check the rule with ID 100015. This rule will attempt to match the value of data.win.eventdata.image with the pattern C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping\.*. Here, \.* at the end represents any value following chrome_Unpacker_BeginUnzipping. If the rule matches, the alert will be ignored because we have set its level to 0.
<group name="ignore">
<rule id="100015" level="0">
<if_sid>####</if_sid>
<field name="data.win.eventdata.image" type="pcre2">C:\\Windows\\SystemTemp\\chrome_Unpacker_BeginUnzipping\.*</field>
<description>Ignored the event due to false positive created by Google Chrome</description>
</rule>
</group>
Replace the #### value with the Rule ID of the alert mentioned in the screenshot.
You can refer to the Wazuh rule syntax document and the Wazuh rule level document.
Also, please provide sample logs from alerts.json related to the alerts you mentioned for further assistance. You can use the following command to get the sample logs. Replace rule_id with the alert rule ID you mentioned:
cat /var/ossec/logs/alerts/alerts.json | grep "rule_id"
I hope this helps you. Please let me know if you have any questions.
To avoid false positive alerts generated by Google Chrome, you can create a rule like the one below. If the rule with ID #### (the Rule ID of the alert mentioned in the screenshot) is triggered, it will check the rule with ID 100015. This rule will attempt to match the value of data.win.eventdata.image with the pattern C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping\.*. Here, \.* at the end represents any value following chrome_Unpacker_BeginUnzipping. If the rule matches, the alert will be ignored because we have set its level to 0.
<group name="ignore">
<rule id="100015" level="0">
<if_sid>####</if_sid>
<field name="data.win.eventdata.image" type="pcre2">C:\\Windows\\SystemTemp\\chrome_Unpacker_BeginUnzipping\.*</field>
<description>Ignored the event due to false positive created by Google Chrome</description>
</rule>
</group>
Replace the #### value with the Rule ID of the alert mentioned in the screenshot.
You can refer to the Wazuh rule syntax document and the Wazuh rule level document.
Also, please provide sample logs from alerts.json related to the alerts you mentioned for further assistance. You can use the following command to get the sample logs. Replace rule_id with the alert rule ID you mentioned:
cat /var/ossec/logs/alerts/alerts.json | grep "rule_id"
I hope this helps you. Please let me know if you have any questions.
Regards,
Bony V John
Nov 22, 2024, 6:25:52 AM11/22/24
to Wazuh | Mailing List
Hi Furkan,
I hope your issue is resolved. Please let me know if you are still facing this issue.
Regards,
Reply all
Reply to author
Forward
0 new messages