custom rule not working as inteded
329 views
Skip to first unread message
Renzo Geelhoed
Aug 8, 2022, 6:44:00 AM8/8/22
to Wazuh mailing list
Hi,
I've created some custom rules which are working fine.
Now, I want to create another one:
<rule id="60204" level="10" frequency="$MS_FREQ" timeframe="240">
<if_matched_group>authentication_failed</if_matched_group>
<same_field>win.eventdata.ipAddress</same_field>
<options>no_full_log</options>
<description>Multiple Windows logon failures.</description>
<mitre>
<id>T1110</id>
</mitre>
<group>authentication_failures,gdpr_IV_32.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_SI.4,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<if_matched_group>authentication_failed</if_matched_group>
<same_field>win.eventdata.ipAddress</same_field>
<options>no_full_log</options>
<description>Multiple Windows logon failures.</description>
<mitre>
<id>T1110</id>
</mitre>
<group>authentication_failures,gdpr_IV_32.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_SI.4,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
Only thing that I want to change is the level, so I set it to 12 but I cannot save the rule unless I delete frequency="$MS_FREQ" timeframe="240"
So I saved it without the frequency and put "overwrite:yes" and the rule now works but the meaning is that when someone logs on with a wrong password more then 5 times within a certain timeframe, I recieve an email (due to the level 12). Now, if I test the rule by logging on 6 times with wrong creds I get 6 emails due to to the frequency not being accepted.
How can I change this so that I get an email after 5 times or moere wrong logins?
Thanks and kind regards,
Renzo
Renzo Geelhoed
Aug 8, 2022, 7:05:18 AM8/8/22
to Wazuh mailing list
This is the error that I get while trying to save the rule:
Julia Magán Rodríguez
Aug 8, 2022, 7:57:28 AM8/8/22
to Wazuh mailing list
Hello,
Rule 60204 uses the variable $MS_FREQ, which is declared in the same file and defaults to 8:
<var name="MS_FREQ">8</var>
You are getting this error because the variable is not defined in your rules file, to fix it you would have to define this variable. However, this option does not work right now and is being investigated in this issue, so the solution would be to set the value directly in the rule:
<rule id="60204" level="12" frequency="8" timeframe="240" overwrite="yes">
<if_matched_group>authentication_failed</if_matched_group>
<same_field>win.eventdata.ipAddress</same_field>
<options>no_full_log</options>
<description>Multiple Windows logon failures.</description>
<mitre>
<id>T1110</id>
</mitre>
<group>authentication_failures,gdpr_IV_32.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_SI.4,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
Renzo Geelhoed
Aug 9, 2022, 3:58:53 AM8/9/22
to Wazuh mailing list
Hi Julia,
Thanks for your solution, it worked!
Kind regards,
Renzo
Reply all
Reply to author
Forward
0 new messages