Custom Rules

[clsamc...@gmail.com]

Does anyone see what's wrong with this rule:

<group name="http_errors">
  <rule id="100003" level="0">
    <if_sid>31151,31101,31533</if_sid>
    <list field="srcip" lookup="address_match_key">lists/white_list</list>
    <description>Quiet: Whitelisted IPs</description>
   </rule>

</group>

I'm trying to suppress alerts from white listed IPs. My white_list file is in the following format:

IP:ID

So, for example, 192.168.168.168:User1

I continue to receive alerts for the whitelisted IPs.

I am using Wazuh v4.3.0

Thanks.

[clsamc...@gmail.com]

Apparently the problem is that analysisd is not processing the file, but I don't know why. Permissions and ownership match others in the etc/lists directory.

[clsamc...@gmail.com]

Okay, got it.

First, add your list to ossec.conf. Second, the rules entry should point to white-list.cdb. Works.

[Emiliano Zorn]

Hello team!

Can you please corroborate that the CDB list you are looking for is in the correct path?

You're redirecting to lists/white_lists, where by default are in etc/lists/

Let me know if that work for you.

Regards.

[Emiliano Zorn]

Hello there! I just saw your last message.

I'm glad it worked for you! Just out of curiosity, did you had to modify something in the rule or just in the ossec.conf?

[clsamc...@gmail.com]

Hi

Thank you for the reply. I think the path issue was likely a result of the many edits. The solution was adding to the lists section of ossec.conf.

Thanks, again.

[Emiliano Zorn]

Hello there!

Thanks for the explanation.

Do not hesitate to write again in case of need.

Regards.