Static field custom rule issue
205 views
Skip to first unread message
Dharmil Jariwala
Jun 12, 2024, 10:04:11 AM6/12/24
to Wazuh | Mailing List
I'm trying to create custom rule based on rule id 5402. Now what I want to do is that if a certain user(decoded as "srcuser") triggers this rule then it should be ignored.
For example:
I want to ignore a user named "dharmil" so I created a custom rule as below:
<group name="syslog, sudo">
<rule id="100001" level="3">
<if_sid>5402</if_sid>
<field name="srcuser">dharmil</field>
<description>Ignore: successful sudo to ROOT executed.</description>
<rule>
</group>
Above alert is just for reference I want to ignore multiple users but it's not even letting me save single user and while saving it's throwing alert saying "srcuser" is static field.
Please help me apply this custom rule.
Thank you.
Christian Borla
Jun 12, 2024, 10:20:58 AM6/12/24
to Wazuh | Mailing List
Hi !
I hope you are well!
Your custom rule looks good, The problem is srcuser is a static field. documentation link, that means field name it's not necessary.
try with:
I hope you are well!
Your custom rule looks good, The problem is srcuser is a static field. documentation link, that means field name it's not necessary.
try with:
<group name="syslog, sudo">
<rule id="100001" level="3">
<if_sid>5402</if_sid>
<srcuser>dharmil</srcuser>
<description>Ignore: successful sudo to ROOT executed.</description>
<rule>
</group>
Let me knonw if that works.
Regards.
Let me knonw if that works.
Regards.
Christian Borla
Jun 13, 2024, 2:27:37 PM6/13/24
to Wazuh | Mailing List
Hi Dharmil
Yes you are right!
There is an open issue with the field srcuser case link.
You can modify the default decoder to capture that field in a src_user.
Example
The decoder is in the file /var/ossec/ruleset/decoders/0320-sudo_decoders.xml
Original
<decoder name="sudo-fields">
<parent>sudo</parent>
<prematch>\s</prematch>
<regex>^\s*(\S+)\s*:</regex>
<order>srcuser</order>
<fts>name,srcuser,location</fts>
<ftscomment>First time user executed the sudo command</ftscomment>
</decoder>
New
<decoder name="sudo-fields">
<parent>sudo</parent>
<prematch>\s</prematch>
<regex>^\s*(\S+)\s*:</regex>
<order>src_user</order>
<fts>name,src_user,location</fts>
<ftscomment>First time user executed the sudo command</ftscomment>
</decoder>
Then update your rule
Be careful, the default decoder files are updated with each manager update.
Let me know if that works.
Regards.
Yes you are right!
There is an open issue with the field srcuser case link.
You can modify the default decoder to capture that field in a src_user.
Example
The decoder is in the file /var/ossec/ruleset/decoders/0320-sudo_decoders.xml
Original
<decoder name="sudo-fields">
<parent>sudo</parent>
<prematch>\s</prematch>
<regex>^\s*(\S+)\s*:</regex>
<order>srcuser</order>
<fts>name,srcuser,location</fts>
<ftscomment>First time user executed the sudo command</ftscomment>
</decoder>
New
<decoder name="sudo-fields">
<parent>sudo</parent>
<prematch>\s</prematch>
<regex>^\s*(\S+)\s*:</regex>
<order>src_user</order>
<fts>name,src_user,location</fts>
<ftscomment>First time user executed the sudo command</ftscomment>
</decoder>
Then update your rule
<group name="syslog, sudo">
<rule id="100001" level="3">
<if_sid>5402</if_sid>
<field name="src_user">dharmil</field>
<description>Ignore: successful sudo to ROOT executed.</description>
<rule>
</group>
Let me know if that works.
Regards.
Reply all
Reply to author
Forward
0 new messages