Wazuh rule level change
938 views
Skip to first unread message
Aravind Krish
Apr 26, 2021, 7:20:09 AM4/26/21
to Wazuh mailing list
Hello,
I have a requirement to change the wazuh rule level to level 10 for specific source IP.
But the level should remain the default value of 12 if the traffic is from other IP's.
Can you suggest how I can achieve this?
The rule I want to change is below.
| <rule id="40112" level="12" timeframe="240"> |
| <if_group>authentication_success</if_group> |
| <if_matched_group>authentication_failures</if_matched_group> |
| <same_source_ip /> |
| <description>Multiple authentication failures followed </description> |
| <description>by a success.</description> |
| <mitre> |
| <id>T1078</id> |
| <id>T1110</id> |
| </mitre> |
| <group>pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group> |
Regards,
Arav
Nicolas Koziuk
Apr 26, 2021, 7:47:56 AM4/26/21
to Wazuh mailing list
Hello Arav, thanks for reaching out.
I understand you want to create a rule with same behaviour as rule 40112 but only for specific IPs, and also it should lower the level to 10 for this IPs.
For this, a child of rule 40112 is to be created, and then a srcip filter will be added. (For this, I suggest you take a look at the srcip field documentation for rules syntax. ) For every different IP, add a new srcip tag with the corresponding IP, as I show in the example below with IP1.IP1.IP1.IP1 and IP2.IP2.IP2.IP2
I understand you want to create a rule with same behaviour as rule 40112 but only for specific IPs, and also it should lower the level to 10 for this IPs.
For this, a child of rule 40112 is to be created, and then a srcip filter will be added. (For this, I suggest you take a look at the srcip field documentation for rules syntax. ) For every different IP, add a new srcip tag with the corresponding IP, as I show in the example below with IP1.IP1.IP1.IP1 and IP2.IP2.IP2.IP2
The resulting rule should be added in your wazuh manager /var/ossec/etc/rules/local_rules.xml path and should be something like this:
<rule id="99999" level="10" timeframe="240">
<if_sid>40112</if_sid>
<description>Multiple authentication failures followed: level 10 rule for specific IPs</description>
<srcip>IP1.IP1.IP1.IP1</srcip>
<srcip>IP2.IP2.IP2.IP2</srcip>
</rule>
I hope this helps
Best regards!
<rule id="99999" level="10" timeframe="240">
<if_sid>40112</if_sid>
<description>Multiple authentication failures followed: level 10 rule for specific IPs</description>
<srcip>IP1.IP1.IP1.IP1</srcip>
<srcip>IP2.IP2.IP2.IP2</srcip>
</rule>
I hope this helps
Best regards!
Nicolas Koziuk
Apr 26, 2021, 8:06:10 AM4/26/21
to Wazuh mailing list
Arav, I just realized I made a small mistake and forgot to remove the timeframe in the child rule example I shared. The resulting rule should be something like this:
<srcip>IP2.IP2.IP2.IP2</srcip>
</rule>
Best regards!
<rule id="99999" level="10">
<if_sid>40112</if_sid>
<description>Multiple authentication failures followed: level 10 rule for specific IPs</description>
<srcip>IP1.IP1.IP1.IP1</srcip><description>Multiple authentication failures followed: level 10 rule for specific IPs</description>
<srcip>IP2.IP2.IP2.IP2</srcip>
</rule>
Best regards!
Aravind Krish
Apr 26, 2021, 11:09:14 PM4/26/21
to Nicolas Koziuk, Wazuh mailing list
Hello Nicolas,
Thank you, I have configured the same and working.
Regards,
Arav
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4611094b-3f16-44d8-b84a-b53ceb928bcen%40googlegroups.com.
Nicolas Koziuk
Apr 27, 2021, 6:57:19 AM4/27/21
to Aravind Krish, Wazuh mailing list
Great news Arav, I am glad to know this worked!
Don't hesitate to come back if you need anything else
Regards
Don't hesitate to come back if you need anything else
Regards
Reply all
Reply to author
Forward
0 new messages