Rules for Renaming File

[Yogi Valentino]

I'm trying to make a syscheck FIM rule for a renaming file. 

root@ubuntu-wazuh:~# cat /var/ossec/etc/rules/file.xml
<group name="syscheck, rename">
    <rule id="100100" level="8" timeframe="5">
        <if_sid>553</if_sid>
        <if_matched_sid>554</if_matched_sid>
        <same_field>sha1</same_field>
        <description>File $(file) renamed</description>
    </rule>

    <rule id="100101" level="8" timeframe="5">
        <if_sid>554</if_sid>
        <if_matched_sid>553</if_matched_sid>
        <same_field>sha1</same_field>
        <description>File $(file) renamed</description>
    </rule>

</group>

This is what it looks like. But when i try to rename it. It didn't trigger. Did i miss something?

[Olamilekan Abdullateef Ajani]

Hello,

I think you have a great idea here to detect when files are renamed, and it's also good as it could be transformed to a custom rule, I would advise you to try this in a test environment and observe the change activity to be sure if it meets your requirement to remove doubt on false positives.

The custom rule below which you provided works fine; I tested it and was able to detect the file being renamed

<group name="syscheck, rename">
    <rule id="198852" level="8" timeframe="20">

        <if_sid>553</if_sid>
        <if_matched_sid>554</if_matched_sid>
        <same_field>sha1</same_field>
        <description>File $(file) renamed</description>
    </rule>

</group>

For custom rules for FIM, you can find additional configurable options in the documentation below to help you when creating rules, the fields that are obtainable for modifications:

https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/creating-custom-fim-rules.html

[Yogi Valentino]

Yeah i already got it, it's because the timeframe.