Aggregation rule doesn't work as expected in Wazuh v.4.7.3
140 views
Skip to first unread message
mauro....@cmcc.it
Mar 18, 2024, 7:20:13 AM3/18/24
to Wazuh | Mailing List
Dear users,
<field name="Alert">Adult Content</field>
<field name="InfoMsg">\.+</field>
<field name="SenderType">Firewall</field>
<description>Adult content site access</description>
</rule>
<rule id="100302" level="12" frequency="3" timeframe="240">
<if_matched_sid>100301</if_matched_sid>
<same_source_ip />
<description>Multiple Adult content site accesses</description>
</rule>
I recently created a rule to detect "Adult sites" traffic and receive related alert notification.
It works as expected. I also created an aggregation rule to reduce logs flooding as follows:
<rule id="100301" level="3">
<decoded_as>json</decoded_as><field name="Alert">Adult Content</field>
<field name="InfoMsg">\.+</field>
<field name="SenderType">Firewall</field>
<description>Adult content site access</description>
</rule>
<rule id="100302" level="12" frequency="3" timeframe="240">
<if_matched_sid>100301</if_matched_sid>
<same_source_ip />
<description>Multiple Adult content site accesses</description>
</rule>
I tried to trigger the rule generating "Adult" traffic, but only the 100301 rule is triggered.
During the test, I visited the same site from the same source IP. I noticed that not every alerts I generated are listed in the Wazuh Dashboard (Security events). It seems that some alerts are skipped in the dashboard.
In any case, I was able to generated, in the specified timeframe, more than 3 alert occurrences. But aggregation rule is not triggered.
I see that other users had the same issue, but I didn't understand the way to fix the issue.
I increased the RAM from 8 to 16GB and I added 4 additional cores (it is a VM with a 8-cores vCPU).
Could you please help me?
Thank you in advance,
Mauro
Henadence Anyam
Mar 18, 2024, 7:49:00 AM3/18/24
to Wazuh | Mailing List
Hello Mauro,
Trust you are doing okay.
I think you might be having issues with the <same_source_ip />
option which has been deprecated.
Its replacement is the same_srcip
option which specifies that the decoded source IP address must be the same.
You can only use the same_srcip option if you have a field decoded as srcip in your events.
If you do not have a field decoded as
srcip
in your event, then use the same_field option and specify the field you would like to generate an alert for when the same value occurs multiple times.
Let me know if you find this information helpful.
mauro....@cmcc.it
Mar 18, 2024, 8:19:28 AM3/18/24
to Wazuh | Mailing List
A genius! :) You are a genius! You solved both the problems with a single message.
Thank you very much.
Have a great day,
Mauro
Reply all
Reply to author
Forward
0 new messages