Co-relation Rules creation
88 views
Skip to first unread message
TUKARAM GAONKAR
Jul 30, 2021, 3:40:52 AM7/30/21
to Wazuh mailing list
Hi Team,
<rule id="822027" level="13" frequency="50" timeframe="200" ignore="300">
<if_matched_sid>222000</if_matched_sid>
<same_source_ip />
<description>Network scanning activity Detected</description>
</rule>
I want to create an alert when the same source IP generates 200 events in 5 min with more than 20 different destination port.
I have created the below rule for a port scan but I am stuck in the condition of " more 20 different dst port ". Please help me to create this rule.
<rule id="822027" level="13" frequency="50" timeframe="200" ignore="300">
<if_matched_sid>222000</if_matched_sid>
<same_source_ip />
<description>Network scanning activity Detected</description>
</rule>
Warm Regards,
Tukaram
TUKARAM GAONKAR
Aug 2, 2021, 8:22:49 AM8/2/21
to Wazuh mailing list
Dear Team,
Any update on this.
Warm Regards,
Tukaram
Christian Borla
Aug 2, 2021, 11:09:28 AM8/2/21
to Wazuh mailing list
Hi Tukaram.
I hope you are doning well!
There is an option called <different_dstip /> to cover that case, but it's not possible to control 20 different ip into range of 50 request. Maybe you can do something like:
<rule id="822027" level="13" frequency="20" timeframe="300" ignore="10">
<if_matched_sid>222000</if_matched_sid>
<same_source_ip />
<different_dstip />
<description>Network scanning activity Detected</description>
</rule>
Above rule will trigger when, it find 20 commands (frequency="20") with same source ip (<same_source_ip />) with a different destination ip (<different_dstip />), in a range of 5 minutes (timeframe="300"), and after trigger it will ignore next 10 seconds commands (ignore="10") to avoid false possitive cases.
It will depends on rule 222000, looks like another custom rule, so I can't confirm that will works. If rule 222000 have some frequency depdency, new rule 822027 frecuency will depends on it.
It's recommended to review the custom rules id
The <id> of custom rules will be in the range from 100000 to 120000.
Link to <different_dstip />
Let me know how it goes.
Regards.
Christian.
Christian.
Reply all
Reply to author
Forward
0 new messages