Rules Syntax - agent groups

[Robert A]

Hi!

I'm trying to create custom rule - overwriting one of the core rules. But I'd like to create this rule only for specific AGENT group. 

Went through whole Rules Syntax documentation but couldn't really find what I need. 

Of course I have ideas how to overcome this but is there an option to create custom rule only for specific group of agents using agent group name?

Thanks for any advice.

Robert

[Robert A]

Looking for something like this:

  <rule id="52507" level="2" overwrite="yes">
    <if_sid>52501</if_sid>

    <agent_group>name</agent_group>
    <match>ClamAV update process started </match>
    <description>ClamAV database update</description>
    <group>virus,pci_dss_5.2,gpg13_4.4,gdpr_IV_35.7.d,nist_800_53_SI.3,tsc_A1.2,</group>
  </rule>

[mariano hinjos]

Hi Robert

In my custom rules search de field ossect client, for example

  <rule id="100801" level="5">
     <if_sid>100125</if_sid>
     <field name="accionoracle">^100$</field>
     <hostname>^esmas158p|^esmas140t|^esmas155t|^esmas182p</hostname>
     <description>ORACLE: LOGON ORACLE EKIP</description>
  </rule>

Only this servers for this rule

I hope it helps you

[Julián Morales]

Robert A

Currently, this is not a feature available in the Wazuh ruleset. An alternative to this may be to use the location option:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#location

This way you could use a regex to filter by agent name for certain rules.
Suppose you wanted to create a rule that only matches agents starting with the name "ubuntu", you could have something like the following:

<rule id="100001" level="3">
  ...
  <location type="pcre2">^\(ubuntu</location>
  <description>Ubuntu agents</description>
  ...
</rule>


I hope this is useful for you

[Robert A]

Hello,

Yep, checked out <location> and in our case more suitable was simple regex using <hostname>. Thanks for your input and time.

Julian, is it ok to ask you for creating such issue in Wazuh repo to introduce this as a future feature? I think that might be nice simplification in creating custom rules.

[Julián Morales]

Hi Robert!,

Please feel free to create feature requests as you wish.  This way we can analyse your proposal, estimate it and add it to our roadmap to be able to address it in the future.
Could you tell me about the use case, this will help me to understand the need of this functionality.
I guess what you want is to separate a part of the ruleset or a set of rules for a group of agents right?

[Robert A]

Hi Julian,

I'd like to make it simpler when you have to create custom rule or just overwrite one of the core rules and you want it to work just for specific group of agents. 

Of course, using location or hostname tags is always an option but when you have properly sorted agents in groups, it would be much quicker to refer to specific agent group using special tag, than creating regex (sometimes more complex than you might think it first appear).

[Julián Morales]

Hi robert!,

I encourage you to open a feature request issue in our official github repository proposing this improvement.
Could you tell us in the issue the use case, i.e. why have different rules for different groups of agents. This will make it easier for us to understand what the problem is to find the best possible solution. Following this in github will allow us to have a better follow up.

Thanks for being part of the Wazuh community.