Not working correlation rule with argument frequency and timeframe
153 views
Skip to first unread message
Stuti Gupta
Mar 4, 2025, 5:34:39 AM3/4/25
to Wazuh | Mailing List
Hi Devsecof
The default rule 60122 is :
<rule id="60122" level="5">
<if_sid>60105</if_sid>
<field name="win.system.eventID">^529$|^4625$</field>
<description>Logon Failure - Unknown user or bad password</description>
<options>no_full_log</options>
<group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
However, when you overwrite the rule, you have replaced the if_sid with of_matched_sid.To maintain consistency across loaded rules, it is currently not possible to overwrite the if_sid, if_group, if_level, if_matched_sid, and if_matched_group labels. These tags are ignored when present in an overwrite rule, preserving the original values.
So instead of overwriting the rule, I will suggest to add a custom rule at /var/ossec/etc/rules/local_rules.xml
<rule id="1060122" level="3" frequency="3" timeframe="30">
<if_matched_sid>60105</if_matched_sid>
<field name="win.system.eventID">^529$|^4625$</field>
<description>Logon Failure - Unknown user or bad password</description>
<options>no_full_log</options>
<group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
To know more about the custom rules please refer to https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
Let me know if you need any further assistance!
The default rule 60122 is :
<rule id="60122" level="5">
<if_sid>60105</if_sid>
<field name="win.system.eventID">^529$|^4625$</field>
<description>Logon Failure - Unknown user or bad password</description>
<options>no_full_log</options>
<group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
However, when you overwrite the rule, you have replaced the if_sid with of_matched_sid.To maintain consistency across loaded rules, it is currently not possible to overwrite the if_sid, if_group, if_level, if_matched_sid, and if_matched_group labels. These tags are ignored when present in an overwrite rule, preserving the original values.
So instead of overwriting the rule, I will suggest to add a custom rule at /var/ossec/etc/rules/local_rules.xml
<rule id="1060122" level="3" frequency="3" timeframe="30">
<if_matched_sid>60105</if_matched_sid>
<field name="win.system.eventID">^529$|^4625$</field>
<description>Logon Failure - Unknown user or bad password</description>
<options>no_full_log</options>
<group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
To know more about the custom rules please refer to https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
Let me know if you need any further assistance!
WiFi
Mar 4, 2025, 8:00:51 AM3/4/25
to Wazuh | Mailing List
Thanks, but i have a problem...
If im copy your rule i have syntax error.
Im attached screen where im in local_rules
Text error:
Error: Could not upload rule (1113) - XML syntax error at WzRequest.returnErrorInstance (https://10.0.220.39/49201/bundles/plugin/wazuh/wazuh.plugin.js:1:250522) at WzRequest.apiReq (https://10.0.220.39/49201/bundles/plugin/wazuh/wazuh.plugin.js:1:249664) at async resources_handler_ResourcesHandler.updateFile (https://10.0.220.39/49201/bundles/plugin/wazuh/wazuh.chunk.3.js:1:2367836) at async file_editor_WzFileEditor.save (https://10.0.220.39/49201/bundles/plugin/wazuh/wazuh.chunk.3.js:1:2437333)
If im copy your rule i have syntax error.
Im attached screen where im in local_rules
Text error:
Error: Could not upload rule (1113) - XML syntax error at WzRequest.returnErrorInstance (https://10.0.220.39/49201/bundles/plugin/wazuh/wazuh.plugin.js:1:250522) at WzRequest.apiReq (https://10.0.220.39/49201/bundles/plugin/wazuh/wazuh.plugin.js:1:249664) at async resources_handler_ResourcesHandler.updateFile (https://10.0.220.39/49201/bundles/plugin/wazuh/wazuh.chunk.3.js:1:2367836) at async file_editor_WzFileEditor.save (https://10.0.220.39/49201/bundles/plugin/wazuh/wazuh.chunk.3.js:1:2437333)
вторник, 4 марта 2025 г. в 13:34:39 UTC+3, Stuti Gupta:
Stuti Gupta
Mar 13, 2025, 1:30:26 AM3/13/25
to Wazuh | Mailing List
Hi Devsecof,
Can you share your file in text format so I can review it and let you know why you're facing this error?
Looking forward to your response
Reply all
Reply to author
Forward
0 new messages