Ignoring all Wazuh rules for specific source IP addresses

[Matt VanderWerf]

Hello,

I looked through the documentation and also searched in the mailing list archives and didn't see anything that touched on this, so thought I'd ask here.

Is it possible to add in overrides (or something else) that would ignore ALL rules that are triggered from certain source IP addresses (or other characteristics)? If it's not currently, is this something that would be possible to implement? I would be surprised if I'm the only one who has run into this particular use case.

Some background:

There are security vulnerability scans performed of all systems in our network spaces at least once a week. These scans obviously are going to trigger lots and lots of Wazuh's rules as the scans are intentionally looking for vulnerabilities. This causes A LOT of noise with tons of extra events and also quite a few e-mail alerts for rules above level 10 (how we currently have them configured). Since we know these are all false positives if they are coming from certain known source IP addresses, it would be preferred to be able to configure Wazuh to ignore these specific events with rule overrides.

Thanks in advance for your help.

--

Matt Vander Werf

[José Fernández]

Hello Matt,

I suggest you to define rules following the below pattern and ignore such alerts that you don't want anymore in your system:

  <rule id="100024" level="0">
    <if_sid>5716</if_sid>
    <srcip>X.X.X.X</srcip>
    <description>Ignore IP X.X.X.X alerts</description>
  </rule>

Note that level is set to 0, this will avoid alert to be triggered.

This rule silence the alert generated by this event:

Dec 10 01:02:02 host sshd[1234]: Failed none for root from X.X.X.X port 1066 ssh2

If you want something more complex you could use <match> tag instead of <srcip> to search for specific expressions inside the events.

I hope it helps to you, don't hesitate to ask us if you have any doubts.

Regards.

[Matt VanderWerf]

Hello José,

Thank you for your response!

I was primarily looking to see if it was possible to do something like this but for ALL Wazuh rules, instead of just for specific known rules that are indicated in the override.

Everything I've seen is always for specific rules, but in this case we might not know the exact rules that will get triggered or there are so many rules that might get triggered that adding in overrides for each of them would be not a very feasible task (if even possible).

Is this something that is possible? Or something that could be supported in a future Wazuh release? It would be *MUCH* easier for us if we were able to do this.

Or are we stuck with adding overrides for each rule that we find gets triggered (an endless endeavor, I presume)?

If the latter, are there parent rules that might cover a large number of the rules that we could use that might make it easier to cover all the Wazuh rules with fewer overrides?

Let me know if you need me to clarify anything here.

Thank you for your help!

--

Matt Vander Werf

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/23da98e0-1e1d-4e60-9c11-7eb1e46e1f13%40googlegroups.com.

[José Fernández]

Hello Matt,

There are various ways to achieve that matter:
1. Increase alert level on manager side ossec.conf:

  <alerts>
    <log_alert_level>20</log_alert_level>
    <email_alert_level>20</email_alert_level>
  </alerts>

You wont receive any alert of level lower than 20 surely nothing will be triggered of any agent.

2. Other possible way is to move unwanted rules files from ruleset folder /var/ossec/ruleset/rules on this case only the files that remains on such folder will alert, the moved ones will never alert.

I invite you to open us an issue with your specific requirements, we will be glad to discuss it with the team, https://github.com/wazuh/wazuh/issues.
I hope this helps you, don't hesitate to ask us if you have any doubts.

Regards.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Matt VanderWerf]

Hello José,

Thanks again for your response!

Yes, I was hoping to not have to raise the limit for alerts so we can still get other valid alerts for rules higher than 10 (logged and e-mailed), just not from the specific known IP addresses of the security scanners.

Likewise with option #2, I don't think we'd want to ignore the triggered rules completely, but only for the specific known IP addresses of the security scanners. The triggered rules would otherwise be valid events from other source IP addresses. Also, that would likely mean ignoring a large percentage of the Wazuh rules that get triggered from the security scans, which would make Wazuh not very useful to use.

I will work on creating a GitHub issue soon for this.

In the meantime, I guess we'll just have to try and add overrides for the specific rules we find are getting triggered from the security scans, although this seems like an endless task and certainly not sustainable in the long run.

Regardless, thank you for your help.

--

Matt Vander Werf
HPC System Administrator
University of Notre Dame
Center for Research Computing - Union Station
506 W. South Street
South Bend, IN 46601

Phone: (574) 631-0692

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/23da98e0-1e1d-4e60-9c11-7eb1e46e1f13%40googlegroups.com.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a42b986c-ba60-4ea0-9760-edfe19762944%40googlegroups.com.