"if_matched_sid" works perfectly, whereas "if_matched_group doesn't
404 views
Skip to first unread message
Alaa Junaid
Nov 16, 2022, 7:07:22 AM11/16/22
to Wazuh mailing list
Hello everyone!
I'm using the last version of Wazuh
virtual appliance (OVA) (4.3.9).
I created a coloration rule that triggers an alert after three failed logins by the same user within one minute.
"if_matched_sid" works perfectly for the mentioned case. For example, after three failed login to Wazuh-server "rule id: 5760", the needed alert is triggered as displayed within the following snapshot: 
Unfortunately, when I replace "if_matched_sid" with "if_matched_group"
the needed alert doesn't work :( as displayed within the following snapshot:
Waiting your kind help.
Regards,
Gustavo Choquevilca
Nov 16, 2022, 7:56:49 AM11/16/22
to Wazuh mailing list
Hello, thanks for using Wazuh,
I will investigate this question and come back with an answer.
Regards,
Gustavo.
I will investigate this question and come back with an answer.
Regards,
Gustavo.
Gustavo Choquevilca
Nov 16, 2022, 2:16:57 PM11/16/22
to Wazuh mailing list
Do you have the authentication_failure group defined?
If so, you can share this configuration.
Here is an example of this configuration.
Regards,
Gustavo.
If so, you can share this configuration.
Here is an example of this configuration.
Regards,
Gustavo.
Alaa Junaid
Nov 17, 2022, 1:47:25 AM11/17/22
to Wazuh mailing list
Thanks for your reply.
Yes dear, I use the built-in rule "5760" which belongs to "authentication_failed" group as illustrated:
Also, the correlated rule has authentication_failure group defined as illustrated:
Best Regards,
Gustavo Choquevilca
Nov 17, 2022, 4:31:09 PM11/17/22
to Wazuh mailing list
Perhaps the problem may be because the definition of the rule is incomplete, so add the following field and verify: <same_source_ip />
<rule id="117013" level="10" frequency="3" timeframe="60">
<if_matched_group>authentication_failed</if_matched_group>
<description>Multiple authentication failures.</description>
<same_source_ip />
...
...
...
I hope this can solve your problem, regards.
Gustavo.
<if_matched_group>authentication_failed</if_matched_group>
<description>Multiple authentication failures.</description>
<same_source_ip />
...
...
...
I hope this can solve your problem, regards.
Gustavo.
Alaa Junaid
Nov 20, 2022, 3:24:02 AM11/20/22
to Wazuh mailing list
Dear
Gustavo,
I've already used <same_user/> as illustrated within the above snapshot. It works perfectly with
if_matched_sid unlike "if_matched_group"
Regards,
Alaa Junaid
Nov 28, 2022, 4:20:47 AM11/28/22
to Wazuh mailing list
Any good news dear.
Regards,
tmz
Dec 10, 2022, 10:51:56 AM12/10/22
to Wazuh mailing list
I’m also using the latest version of Wazuh (manager and agent) and “if_matched_group” is not working. Any news about this?
But in my case also “if_matched_sid” is not working. In local_rules_xml I only have this rule (besides example rule 00001 being there from beginning)
<group name="">
<rule id="100002" level="12" frequency="5" timeframe="60">
<if_matched_sid>554</if_matched_sid>
<same_source_ip />
<description>A lot of files created and/or deleted in short period of time</description>
<group>syscheck_entry_added,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,$
</rule>
</group>
In security event for my monitored host I only get events with rule.id 554 (and there are more then 5 in 60 seconds), but don’t get event for rule.id 100002:
Does anyone have any idea why it’s not working?
Regards.
Abed Ahmad Alzaben
Mar 19, 2023, 9:57:49 AM3/19/23
to Wazuh mailing list
Still no updates on this?
Reply all
Reply to author
Forward
0 new messages