Duplicate Rules Match | Urgent
723 views
Skip to first unread message
John Carry
Feb 19, 2023, 9:47:51 PM2/19/23
to Wazuh mailing list
Hello Wazuh Team,
I have created a custom rule for my Firewall because I need to trigger level 12 alert if my condition is met, let me mention both the rules below.
How-ever the problem I am facing is when a rule is Tested, it says that it had find duplicate rule and priority will given to first rule (Default one), I am pasting the error below, you are requested to assist on making changes as I want to trigger custom rule when ever my condition mentioned there is met:
**Messages: WARNING: (7003): 'da8101f3' token expires WARNING: (7612): Rule ID '222032' is duplicated. Only the first occurrence will be considered. INFO: (7202): Session initialized with token '32b7d590'
**Phase 1: Completed pre-decoding. full event: 'date=2023-02-15 time=21:11:24 devname="Arpatech_HO" devid="FG6H1ETB21907474" eventtime=1676477485124165451 tz="+0500" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=12 sessionid=167293945 srcip=192.168.18.78 srcport=56529 srcintf="port2" srcintfrole="lan" dstip=104.21.35.30 dstport=443 dstintf="port5" dstintfrole="wan" proto=6 service="HTTPS" hostname="cdn.shopproxy.live" profile="Custom_Policy" action="blocked" reqtype="direct" url="https://cdn.shopproxy.live/" sentbyte=426 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=26 catdesc="Malicious Websites" crscore=30 craction=4194304 crlevel="high"'
**Phase 2: Completed decoding. name: 'fortigate-firewall-v5' action: 'blocked' catdesc: 'Malicious Websites' craction: '4194304' crlevel: 'high' crscore: '30' devid: 'FG6H1ETB21907474' devname: 'Arpatech_HO' direction: 'outgoing' dstintf: 'port5' dstintfrole: 'wan' dstip: '104.21.35.30' dstport: '443' eventtime: '1676477485124165451' eventtype: 'ftgd_blk' hostname: 'cdn.shopproxy.live' level: 'warning' logid: '0316013056' msg: 'URL belongs to a denied category in policy' policyid: '12' profile: 'Custom_Policy' proto: '6' rcvdbyte: '0' reqtype: 'direct' sentbyte: '426' service: 'HTTPS' sessionid: '167293945' srcintf: 'port2' srcintfrole: 'lan' srcip: '192.168.18.78' srcport: '56529' subtype: 'webfilter' time: '21:11:24' type: 'utm' url: 'https://cdn.shopproxy.live/' vd: 'root'
**Phase 3: Completed filtering (rules). id: '81644' level: '6' description: 'Fortigate: Blocked URL belongs to a denied category in policy.' groups: '["fortigate","syslog"]' firedtimes: '1' mail: 'false'
**Alert to be generated.
By-Default Rule:
<rule id="81644" level="6">
<if_sid>81603</if_sid>
<match>type="utm" subtype="webfilter"|type=utm subtype=webfilter</match>
<action>blocked</action>
<description>Fortigate: Blocked URL belongs to a denied category in policy. </description>
</rule>
<match>type="utm" subtype="webfilter"|type=utm subtype=webfilter</match>
<action>blocked</action>
<description>Fortigate: Blocked URL belongs to a denied category in policy. </description>
</rule>
Custom Rule:
<rule id="222032" level="12">
<if_sid>81644</if_sid>
<field name="catdesc">Malicious Websites|"Malicious Websites"</field>
<description>User accessing Malicious Website</description>
</rule>
<if_sid>81644</if_sid>
<field name="catdesc">Malicious Websites|"Malicious Websites"</field>
<description>User accessing Malicious Website</description>
</rule>
The Actual Payload:
date=2023-02-15 time=21:11:24 devname="xxx" devid="xxxH1ETB21907474" eventtime=1676477485124165451 tz="+0500" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=12 sessionid=167293945 srcip=192.168.x.x srcport=56529 srcintf="port2" srcintfrole="lan" dstip=104.21.35.30 dstport=443 dstintf="port5" dstintfrole="wan" proto=6 service="HTTPS" hostname="cdn.shopproxy.live" profile="Custom_Policy" action="blocked" reqtype="direct" url="https://cdn.shopproxy.live/" sentbyte=426 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=26 catdesc="Malicious Websites" crscore=30 craction=4194304 crlevel="high"
Abdullah Al Rafi Fahim
Feb 19, 2023, 10:27:25 PM2/19/23
to Wazuh mailing list
Hello John,
Thanks for sharing your issue with us!
"WARNING: (7612): Rule ID '222032' is duplicated. Only the first occurrence will be considered." - this warning indicates that your Wazuh Manager has multiple rules defined with rule ID
222032 and in that case only the first one in the alpha-numeric order will be considered. Therefore, you need to provide this custom rule an unique rule ID to avoid this conflict and work properly.
Apart from this, your custom rule mentioned here is working without any issue as I have tested this with the sample log in wazuh-logtest.
Please provide the custom rule an unique rule ID and restart the wazuh-manager to make this changes effective.
I hope it helps. Please let us know how it goes.
Reply all
Reply to author
Forward
0 new messages