Is it possible to fire multiple alerts for one log?
118 views
Skip to first unread message
Jamie Navarro
Apr 20, 2023, 2:40:07 PM4/20/23
to Wazuh mailing list
Hello, here are a couple examples of logs I receive:
Log example #1:
Mar 13 15:19:43 dhcpd[7416]: DHCPACK on 10.10.10.77 to 56:8d:3d:8f:0c:90 via mvneta0.4091
Log example #2:
Mar 29 15:10:56 dhcpd[3246]: DHCPACK on 10.10.10.65 to 84:98:66:ca:f5:e3 (Galaxy-Tab-A) via mvneta0.4091
I had a lot of help from Miguel A.C. to set up my decoders (thank you Miguel A.C.!). And below is the rule I created:
<rule id="100010" level="3">
<decoded_as>SGPfsense</decoded_as>
<field name="dhcpreqorack">DHCPACK</field>
<description>SG - IP address $(ipassigned) assigned to $(tomacaddress)</description>
</rule>
This has been working great. But then I added the following rule:
<rule id="100015" level="10">
<if_sid>100010</if_sid>
<regex>Galaxy</regex>
<description>SG - A Samsung Galaxy is on the network!</description>
</rule>
The results were not what I was expecting.
Rule #100015 will generate an alert if the log contains the word 'Galaxy' (see Log example #2 above) which is great.
However, when this happens, my rule #100010 doesn't generate an alert.
What I would like to happen (and thought would happen) is that BOTH #100010 and #100015 generate an alert. Is this possible?
Log example #1:
Mar 13 15:19:43 dhcpd[7416]: DHCPACK on 10.10.10.77 to 56:8d:3d:8f:0c:90 via mvneta0.4091
Log example #2:
Mar 29 15:10:56 dhcpd[3246]: DHCPACK on 10.10.10.65 to 84:98:66:ca:f5:e3 (Galaxy-Tab-A) via mvneta0.4091
I had a lot of help from Miguel A.C. to set up my decoders (thank you Miguel A.C.!). And below is the rule I created:
<rule id="100010" level="3">
<decoded_as>SGPfsense</decoded_as>
<field name="dhcpreqorack">DHCPACK</field>
<description>SG - IP address $(ipassigned) assigned to $(tomacaddress)</description>
</rule>
This has been working great. But then I added the following rule:
<rule id="100015" level="10">
<if_sid>100010</if_sid>
<regex>Galaxy</regex>
<description>SG - A Samsung Galaxy is on the network!</description>
</rule>
The results were not what I was expecting.
Rule #100015 will generate an alert if the log contains the word 'Galaxy' (see Log example #2 above) which is great.
However, when this happens, my rule #100010 doesn't generate an alert.
What I would like to happen (and thought would happen) is that BOTH #100010 and #100015 generate an alert. Is this possible?
Kevin Ledesma
Apr 21, 2023, 9:39:33 AM4/21/23
to Wazuh mailing list
Hi Jaime!
Well, the alert is always raised only by the more specific matching rule (the last child that matches). So here you have the rule #100010 (parent) that is more "generic" and #100015 (child) that is "specific", so wazuh will only raise an alert from #100015. That is that way because if it has to raise an alert from every matching rule, you will have a lot of "repeated" alerts, so it will only raise the rule of the last matching child rule.
What you can do if you want to have the description from both rules is to also just add it to the rule #100015 like this:
Jamie Navarro
Apr 21, 2023, 11:15:19 AM4/21/23
to Wazuh mailing list
Hi Kevin,
Ahhh OK. Well thank you for explaining that to me. Being new to Wazuh, I didn't realize that. I didn't see it in the docs either (but could've easily missed it). I think the 'workaround'/suggestion you mentioned should work for us. Have a great weekend!
Jamie
Reply all
Reply to author
Forward
0 new messages