CDB List
288 views
Skip to first unread message
Dai Nguyen
Sep 15, 2023, 2:55:32 AM9/15/23
to Wazuh | Mailing List
Hello,
As I understand, after I created a CDB list file and then restart wazuh-manager, this CDB list file will affect to all agent. So, can I config this CDB list to the specific group, not to all agent?
Thank you!!
Andréw Hüang
Sep 15, 2023, 4:18:56 AM9/15/23
to Wazuh | Mailing List
What is your use case with this? CDB lists reside in the manager, and you use it in rules.
Stuti Gupta
Sep 15, 2023, 4:37:12 AM9/15/23
to Wazuh | Mailing List
Hi,
Hope you are doing well toady vand thank you for using wazuh.
We add the created CDB list to the manager ossec.conf so it is available for use in rules. The list is added to the manager by specifying the path to the list in the <ruleset> block. It is recommed to store the lists on /var/ossec/etc/lists that is loacted at wazuh-manager Since Wazuh v3.11.0, CDB lists are built and loaded automatically when the analysis engine is started. Therefore, when adding or modifying CDB lists, just restart the manager. Once the list has been added to the configuration file, we proceed to create a custom rule in /var/ossec/etc/rules/local_rules.xml to genterate alerts. So the CDB list are located at wazuh-manger, so that can be used in wazuh-rules.
There is work arount you can add label in agent.cong at centeralied configartion such as:
Hope you are doing well toady vand thank you for using wazuh.
We add the created CDB list to the manager ossec.conf so it is available for use in rules. The list is added to the manager by specifying the path to the list in the <ruleset> block. It is recommed to store the lists on /var/ossec/etc/lists that is loacted at wazuh-manager Since Wazuh v3.11.0, CDB lists are built and loaded automatically when the analysis engine is started. Therefore, when adding or modifying CDB lists, just restart the manager. Once the list has been added to the configuration file, we proceed to create a custom rule in /var/ossec/etc/rules/local_rules.xml to genterate alerts. So the CDB list are located at wazuh-manger, so that can be used in wazuh-rules.
There is work arount you can add label in agent.cong at centeralied configartion such as:
- Use labels: It is possible to add labels to the agent's groups that will be applied to every alert triggered by those agents. To do that you can apply a centralized configuration to set up the label for each specific group.
%2009.55.42.png?part=0.6&view=1)
%2009.56.49.png?part=0.4&view=1)
%2009.57.13.png?part=0.5&view=1)
Once that is done you can verify the new alerts from those agents and confirm that the label is applied. You can also filter by the labels in wazuh dashboard.
- Use a specific field: If you have a specific field in the alert that is common to all the agents of a group, you can edit the rules only to be triggered when that field is the expected. For example: if all the agent hostnames of the group "lab" start with "lab-" and you want to filter the rule 5701, you can create a child rule similar to this:
<rule id="100002" level="8">
<if_sid>5701</if_sid>
<hostname type="PCRE2">lab-.+</hostname>
<list field="srcip" lookup="address_match_key">etc/lists/List-two</list>
<description>sshd: Possible attack on the ssh server </description>
<description>(or version gathering). - Known agetn</description>
</rule>
This way the rule will only be triggered when the agent hostname starts with "lab-".
Hope this will be helpful. Feel free to contact us for more information/issue
Reply all
Reply to author
Forward
0 new messages