<if_sid> tag in wazuh rules
2,765 views
Skip to first unread message
Jayakrishnan P
Feb 19, 2023, 11:49:48 PM2/19/23
to Wazuh mailing list
Hi all,
I am a bit confused about the if_sid tag in wazuh rules. I know it is used as a conditional statement. The rule with if_sid tag will execute if the rule id inside if_sid tag is executed. My question is what is the time limit for it. lets take an example
<rule id="10012" level="10">
<if_sid>10010</if_sid>
<description>Multiple login failure from suspicious IP</description>
</rule>
<if_sid>10010</if_sid>
<description>Multiple login failure from suspicious IP</description>
</rule>
Here, rule 10012 will get fired if 10010 is fired first. But this has to have a time limit right? will 10012 will get fired if 10010 was executed yesterday. I know there is another tag if_matched_sid where we can specify time and frequency, but how does if_sid work. I don't know whether I am thinking in the right path. It would be great if someone could help.
Thanks
Jayakrishnan
Abdullah Al Rafi Fahim
Feb 20, 2023, 1:02:50 AM2/20/23
to Wazuh mailing list
Hello Jayakrishnan,
Thank you for sharing your query with us!
if_sid is used as a requisite to trigger any rule only when a rule ID on the list has previously matched. To be more specified, when you configure rule 10012 with if_sid value 10010, rule 10012 will only be checked when requisites of rule ID 10010 is satisfied. In this way, 10012 will work as a child rule of 10010.
Example:
<rule id="100110" level="5">
<if_sid>100100, 100101</if_sid>
<match>Error</match>
<description>There is an error in the log.</description>
</rule>
<if_sid>100100, 100101</if_sid>
<match>Error</match>
<description>There is an error in the log.</description>
</rule>
The rule 100110 is triggered when either of the parent rules (100100, 100101) has matched and the logs contain the word "Error".
However, if you want to trigger a rule when an alert of the defined ID has been triggered in a set number of seconds, you can use if_matched_sid option with frequency and timeframe for that.
You can learn more about all these rule syntaxes with relevant examples here: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
I hope it helps. Please let us know if you have any further query here.
Jayakrishnan P
Feb 20, 2023, 1:10:34 AM2/20/23
to Wazuh mailing list
Thanks a lot Abdulla
Abdullah Al Rafi Fahim
Feb 20, 2023, 1:33:04 AM2/20/23
to Wazuh mailing list
Hello Jayakrishnan,
You are always welcome to share your queries and issues regarding Wazuh with us!
Reply all
Reply to author
Forward
0 new messages