Negate | Not Operator | Rules
842 views
Skip to first unread message
John Carry
Jan 26, 2023, 10:23:49 AM1/26/23
to Wazuh mailing list
Hello Wazuh Team,
Is it possible to use Negate | Not | ! operator inside the field part of the rule?, basically I want to generate an alert when the logon-type is not equal to 3 so that I can capture all the alerts with the Logon-Type field other than 3.
Regards,
John
Lucas Pascual
Jan 26, 2023, 11:19:46 AM1/26/23
to Wazuh mailing list
Hello John!.
In this case, you can use
<field name="logon-type" negate=yes>3</field>
Reference:
In this case, you can use
<field name="logon-type" negate=yes>3</field>
Reference:
Please let us know if it worked as intended!
Regards.
Regards.
Pablo Bolivar Bustamante
Aug 22, 2024, 6:35:40 PM8/22/24
to Wazuh | Mailing List
Hello everyone
I have tried to use the field next to the “negate” on the following rule but apparently it does not work correctly, as the rule is completely disabled.
The version of wazuh I'm using is 4.7.0
I would like to know if I am doing something wrong, I have tried it two ways with no successful results.
Thanks for your help.
I have tried to use the field next to the “negate” on the following rule but apparently it does not work correctly, as the rule is completely disabled.
The version of wazuh I'm using is 4.7.0
I would like to know if I am doing something wrong, I have tried it two ways with no successful results.
Thanks for your help.
Test1
<rule id="31516" level="7" overwrite="yes">
<if_sid>31100</if_sid>
<url>.swp$|.bak$|/.htaccess|/server-status|/.ssh|/.history|/wallet.dat</url>
<field name="data.url" negate="yes">^test$</field>
<description>Suspicious URL access.</description>
<mitre>
<id>T1055</id>
</mitre>
<group>pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="31516" level="7" overwrite="yes">
<if_sid>31100</if_sid>
<url>.swp$|.bak$|/.htaccess|/server-status|/.ssh|/.history|/wallet.dat</url>
<field name="data.url" negate="yes">^test$</field>
<description>Suspicious URL access.</description>
<mitre>
<id>T1055</id>
</mitre>
<group>pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
Test2
<rule id="31516" level="7" overwrite="yes">
<if_sid>31100</if_sid>
<url>.swp$|.bak$|/.htaccess|/server-status|/.ssh|/.history|/wallet.dat</url>
<field name="data.url" negate="yes">test</field>
<description>Suspicious URL access.</description>
<mitre>
<id>T1055</id>
</mitre>
<group>pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<if_sid>31100</if_sid>
<url>.swp$|.bak$|/.htaccess|/server-status|/.ssh|/.history|/wallet.dat</url>
<field name="data.url" negate="yes">test</field>
<description>Suspicious URL access.</description>
<mitre>
<id>T1055</id>
</mitre>
<group>pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
Reply all
Reply to author
Forward
0 new messages