overwrite rule log
148 views
Skip to first unread message
German DiCasas
Sep 12, 2024, 8:52:16 AM9/12/24
to Wazuh | Mailing List
Hi team,
I overwrited a rule using Doc https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#changing-existing-rules and I have a dude. The doc indicates "To maintain consistency across loaded rules, it is currently not possible to overwrite the if_sid, if_group, if_level, if_matched_sid, and if_matched_group labels. These tags are ignored when present in an overwrite rule, preserving the original values." And the example of change the level value of the SSH rule 5710 from 5 to 10 have inside a if_sid that per warining will be ignored but over ossec.log I get a warning " It is not possible to overwrite 'if_group' value in rule 'XXXX'. The original value is retained" So, That indicates that tthe rule was not overwrited?
I did it with a rule over ruleset/rules , the 92213 to change the levevel from 15 to 10
and I get this over ossec.log
2024/09/12 09:31:52 wazuh-analysisd: WARNING: (7605): It is not possible to overwrite 'if_group' value in rule '92213'. The original value is retained.
ofiginal 92213 is over /var/ossec/ruleset/rules/0830-sysmon_id_11.xml and I copied to my /etc/rules to new xml whith this:
<group name="sysmon,sysmon_eid11_detections,windows,">
<rule id="92213" level="12" overwrite="yes">
<if_group>sysmon_event_11</if_group>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\\\Users\\\\.+\\\\AppData\\\\Local\\\\Temp\\\\.+\.(exe|com|dll|vbs|js|bat|cmd|pif|wsh|ps1|msi|vbe)</field>
<options>no_full_log</options>
<description>Executable file dropped in folder commonly used by malware.(de L15 a L12)</description>
<mitre>
<id>T1105</id>
</mitre>
</rule>
</group>
ofiginal 92213 is over /var/ossec/ruleset/rules/0830-sysmon_id_11.xml and I copied to my /etc/rules to new xml whith this:
<group name="sysmon,sysmon_eid11_detections,windows,">
<rule id="92213" level="12" overwrite="yes">
<if_group>sysmon_event_11</if_group>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\\\Users\\\\.+\\\\AppData\\\\Local\\\\Temp\\\\.+\.(exe|com|dll|vbs|js|bat|cmd|pif|wsh|ps1|msi|vbe)</field>
<options>no_full_log</options>
<description>Executable file dropped in folder commonly used by malware.(de L15 a L12)</description>
<mitre>
<id>T1105</id>
</mitre>
</rule>
</group>
After restart wazuh-manager I get the log warning. My question is, despite the alert in ossec.log, is the rule still being overwritten or is there something wrong?
German
Lucas Esteban Pedrosa
Sep 12, 2024, 1:02:28 PM9/12/24
to Wazuh | Mailing List
Hello, Germán
This is an interesting case to point out.
The rule is indeed being overwritten. What the warning means is that the contents ("value") of the mentioned filters will not be modified. This means that the original rule will have a new level, if you change it... and it can also have a new description and the fields you use as filters will also change according to the way you set them up, but any modifications you make to specific tags such as <if_group> are going to be ignored. If you modify them, the original value will be taken instead. If you add new ones, they will be ignored. If you remove one, the original one will still be placed.
So the correct practice when you overwrite a rule is to copy it from the original and change only the things you need to change and be aware that the changes cannot include modifications to the specifically mentioned tag lines.
Feel free to ask anything that may still produce doubts about this.
Regards,
Lucas
Lucas
German DiCasas
Sep 12, 2024, 4:55:34 PM9/12/24
to Wazuh | Mailing List
Lucas...thanks for clarifying this. I will ignore that log since work ok.
Regards,
German
Reply all
Reply to author
Forward
0 new messages