help for malware and other detection on local_rules.xml

24 views
Skip to first unread message

Alfian Syahputra

unread,
Nov 9, 2025, 11:44:00 PM (2 days ago) Nov 9
to Wazuh | Mailing List

Hello Wazuh community, is there anyone who can share the contents of  /var/ossec/etc/rules/local_rules.xml for malware triggers or other purposes? Looking at the MITRE attack, there are many commands, so I need help if anyone is willing to provide the contents of  local_rules.xml , Thank you.

Besides that path, is there anything else that needs to be changed or added to enhance those triggers?


example this trigger on malware: https://documentation.wazuh.com/current/getting-started/use-cases/malware-detection.html

Md. Nazmur Sakib

unread,
Nov 10, 2025, 12:07:12 AM (yesterday) Nov 10
to Wazuh | Mailing List

Hi Alfian,

The file /var/ossec/etc/rules/local_rules.xml. is for adding custom rules. Check this custom rules document for more details.
For the LimeRAT malware detection on Windows, you will also need to install and configure Sysmon on the Windows endpoint.

Refer to the blog post on LimeRat detection and response with Wazuh for the full configuration.


For the mitre, you do not need to configure anything other than adding the ID under the rule, like this

    <mitre>

      <id>T1036</id>

    </mitre>


Check the document for more details on this topic:
Mitre
MITRE ATT&CK framework



Let me know if you need further information on this.

Reply all
Reply to author
Forward
0 new messages