How to retune the rules in wazuh

[s v yashwanth]

Hello Team,

Could you help us how can retune the rules which are not required to our organization.

Thanks,

Yashwanth S V

[victor....@wazuh.com]

Hello,

You can disable or change default Wazuh rules.

In order to suppress an alert, you can add a custom rule in your local_rule.xml  file to set the desired alert level to 0 (https://documentation.wazuh.com/4.0/user-manual/ruleset/ruleset-xml-syntax/rules.html).

For example:

 <rule id="100003" level="0">
    <if_sid>60602</if_sid>
    <description>Rule suppression</description>
 </rule>

 <rule id="100004" level="0">
    <if_sid>60601</if_sid>
    <description>Rule suppression</description>
 </rule>

This will suppress alerts with 60601 and 60602.

Also, you can overwrite the alert using overwrite option to suppress it:

<rule id="60602" level="0" overwrite="yes">
 <description>Rule suppression</description>
</rule>


Furthermore, you can edit these rules in the same way. Check these documentation pages to know more about custom rules and decoders https://documentation.wazuh.com/4.0/user-manual/ruleset/custom.html, https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/.

[s v yashwanth]

Hi Victor,

Thanks for the response and will check and confirm.

Regards,

Yashwanth S V

[s v yashwanth]

Hello Team,

we are getting so many alerts which is Suricata: Alert - ET SCAN Suspicious inbound to mySQL port 3306, 

as this activity be done by our internal team only and 3306 is opened in our network.

could you please help us with  filters.

Thanks

[Jose Antonio Izquierdo]

Hello,

Maybe we should open a new thread as this seems to be a bit different than your initial question.

Anyway, here you have some thoughts.

the rule i matching in your suricata should be this one with SID 2010937

alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN Suspicious inbound to mySQL port 3306"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010937; classtype:bad-unknown; sid:2010937; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)

You will have some options:

1.- verify your suricata.yaml configuration and review EXTERNAL_NET and HOME_NET definitions. this alert should only be fired when traffic is from external to internal. where are you listening the traffic?

2.- disable the rule if you don't want this to be triggered any more, edit emerging-scan.rules file and modify to something like this

define it as a pass rule

pass tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN Suspicious inbound to mySQL port 3306"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010937; classtype:bad-unknown; sid:2010937; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)

or

disable the rule

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN Suspicious inbound to mySQL port 3306"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010937; classtype:bad-unknown; sid:2010937; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)

you can also clone the rule and set a better source and destination params.

Restart or reload your suricata after change is done.

3.- as Victor did explain in previous answers you can create a rule that will check sid field and set that rule to level=0.

Let us know which one should be best approach to you. My suggestion is work in suricata side options 1 and 2.

Thanks

[Alfred Abrajano]

Hello Victor,

Is this only applicable to the Wazuh manager, or this also works in the Wazuh agents/clients?

Thank you,

Alfred