RULE Y DECODER FOR o detect a man-in-the-middle attack on a LAN network
75 views
Skip to first unread message
Walter Salazar
May 10, 2023, 12:44:09 PM5/10/23
to Wazuh mailing list
Good afternoon everyone, warm greetings. I am writing to ask for your help. I am new and exploring the Wazuh tool. I need to create a new rule and decoder to detect a man-in-the-middle attack on a LAN network. I have tried to create it with AI, but every time I copy it to Wazuh, it generates errors. Thank you very much for your help.
Lucas Pascual
May 10, 2023, 2:37:56 PM5/10/23
to Wazuh mailing list
Hello Walter, thank you for reaching out to the community.
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Hope this helps!
- Do you already have alert samples you need to work on in order to create the corresponding decoders and rules?. Would you like to share them?.
- Are you already receiving the alerts on Wazuh?.
You can determine this as follows:
_ Set <logall_json>no</logall_json> to "yes" on /var/ossec/etc/ossec.conf
_ Restart the Wazuh service, systemctl restart wazuh-manager.service
_ Check on /var/ossec/logs/alerts/alerts.json for the events you are looking for.
_ After confirming events are being received (or not), remember to revert logall_json to no
_ If events and not available on the Manager, that would be the first troubleshooting step moving forward.
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Hope this helps!
Reply all
Reply to author
Forward
0 new messages