Need a set of Stormshield rules

21 views
Skip to first unread message

herve LeBonCoin

unread,
Oct 31, 2025, 5:23:15 AM (6 days ago) Oct 31
to Wazuh | Mailing List
Hello,

I am looking for someone who could provide me with a set of rules (or a draft) that I can use as inspiration for my deployment.

Thank you all in advance!
Herca

Md. Nazmur Sakib

unread,
Nov 4, 2025, 5:20:49 AM (2 days ago) Nov 4
to Wazuh | Mailing List

Hi Herca,

I have created some sample rules for you based on these logs



id=firewall time="2022-03-03 14:21:10" fw="SN12345678912345" tz=+0100 startime="2022-03-03 14:21:10" pri=5 confid=01 slotlevel=2 ruleid=100 srcif="Ethernet3" srcifname="in" ipproto=tcp dstif="Ethernet2" dstifname="out" proto=https src=42.123.123.123 srcport=60355 srcportname=ad2009-dyn_tcp srcname=DLEM-AMPD02 srcmac=00:00:00:00:00:00 dst=11.11.11.11 dstport=443 dstportname=https dstname=example_dest dstcontinent="na" dstcountry="us" ipv=4 sent=0 rcvd=0 duration=2.00 action=pass logtype="filter"


id=firewall "time="2022-03-16 19:36:03" fw="SN12345678912345" tz=+0100 startime="" pri=5 confid=01 slotlevel=2 ruleid=103 srcif="Ethernet3" srcifname="in" ipproto=tcp dstif="Ethernet2" dstifname="out" proto=https src=11.11.11.11 srcport=49586 srcportname=ephemeral_fw_tcp srcname=foo_bar srcmac=00:00:00:00:00:00 srccontinent="na" srccountry="us" dst=22.22.22.22 dstport=443 dstportname=https dstcontinent="eu" dstcountry="be" modsrc=11.11.11.11 modsrcport=49586 origdst=22.22.22.22 origdstport=443 ipv=4 sent=2827291 rcvd=2728401 duration=107331.18 action=pass logtype="connection"


I have used these decoders
https://github.com/sakib789/Wazuh-magic/blob/main/Stormshiel_firewall/custom_stormshiel_firewall_decoders.xml

Add these two rules in the /var/ossec/etc/rules/local_rules.xml

<group name="firewall,">

<rule id="101110" level="0">  

 <decoded_as>stormshield_decoder</decoded_as>  

 <description>Stormshield logs grouping rule</description>  

</rule>


<rule id="101120" level="5">

 <if_sid>101110</if_sid>

 <field name="logtype">connection</field>

 <description>Stormshield connection logs</description>  

</rule>


</group>

And restart the Wazuh Manager or reload the analysisd engine.


systemctl restart wazuh-manager

 2025-11-04 15 58 22.png
You can make more custom rules considering 101110 as a parent rule to get a specific alert.

These documents can be useful for writing custom rules 



Let me know if you need any further information.

Reply all
Reply to author
Forward
0 new messages