Is it a limitation of wazuh rule?
70 views
Skip to first unread message
Nepolean
Apr 27, 2023, 4:54:18 AM4/27/23
to Wazuh mailing list
Hi Team,
I have this scenario.
<rule id="100201" level="0">
<decoded_as>json</decoded_as>
<description>grouping</description>
</rule>
<decoded_as>json</decoded_as>
<description>grouping</description>
</rule>
<rule id="100251" level="3">
<if_sid>100201</if_sid>
<srcip>192.168.1.22</srcip>
<description>Source IP found</description>
</rule>
<rule id="100252" level="4">
<if_sid>100201</if_sid>
<dstip>192.168.1..34</dstip>
<description>Destination IP found</description>
<if_sid>100201</if_sid>
<srcip>192.168.1.22</srcip>
<description>Source IP found</description>
</rule>
<rule id="100252" level="4">
<if_sid>100201</if_sid>
<dstip>192.168.1..34</dstip>
<description>Destination IP found</description>
</rule>
In last two rules I am checking two different fields of same log and I want to different alerts for it as shown. This is a genuine use case.. right? But the problem is wazuh don't check both rules 100251 and 100252. It goes to the rule with bigger level. How can I achieve what I want?
Miguel Verdaguer Velazquez
Apr 27, 2023, 6:24:54 AM4/27/23
to Wazuh mailing list
Greetings from Wazuh,
I understand the problem is only rule "100252", with level "4", is triggered, but not the one with level "3". This could mean the alert level threshold has been defined as 4. To check and change this check the following documentation, https://documentation.wazuh.com/current/user-manual/manager/alert-threshold.html. The alert level threshold is 3 by default, so if the attribute "log_alert_level" is not defined the problem is probably elsewhere. I understand the mistake in the field "dstip" comes from copying the rule, but there is an extra dot in the IP.
If the "log_alert_level" is not defined the problem may be that analysisd only triggers the first rule or the rule with the highest level if both come from the same rule. If so, you could add an additional rule, daughter of the two previous ones and with both conditions.
<rule id="100251" level="3">
<if_sid>100251, 100252</if_sid>
<srcip>192.168.1.22</srcip>
<dstip>192.168.1.34</dstip>
<description>Source IP and Destination IP found</description>
</rule>
I understand the problem is only rule "100252", with level "4", is triggered, but not the one with level "3". This could mean the alert level threshold has been defined as 4. To check and change this check the following documentation, https://documentation.wazuh.com/current/user-manual/manager/alert-threshold.html. The alert level threshold is 3 by default, so if the attribute "log_alert_level" is not defined the problem is probably elsewhere. I understand the mistake in the field "dstip" comes from copying the rule, but there is an extra dot in the IP.
If the "log_alert_level" is not defined the problem may be that analysisd only triggers the first rule or the rule with the highest level if both come from the same rule. If so, you could add an additional rule, daughter of the two previous ones and with both conditions.
<rule id="100251" level="3">
<srcip>192.168.1.22</srcip>
<dstip>192.168.1.34</dstip>
<description>Source IP and Destination IP found</description>
</rule>
Nepolean
Apr 27, 2023, 6:52:33 AM4/27/23
to Wazuh mailing list
Threshold level for me default which is 3. In my case analysisd is trigerring rule with highest level. If both rules have same level first one on the file will get triggered. I want a separate alert for both rules not in a single rule.
Miguel Verdaguer Velazquez
Apr 27, 2023, 7:19:37 AM4/27/23
to Wazuh mailing list
I'm afraid it is not possible to get both alerts when both of them are triggered because of how analysisd works. Only the first rule from the daughters of another one will be triggered. The only solution I can think of is having three different rules, for one condition, the other, or both of them at the same time. This is done by adding the rule I wrote in the last email.
Reply all
Reply to author
Forward
0 new messages