Custom Rule Not Working

521 views
Skip to first unread message

Khul Sat

unread,
Sep 5, 2023, 6:35:39 AM9/5/23
to Wazuh | Mailing List

Hello Team,

I was trying to extend the default sshd rule by following ruleset:

<group name="syslog,sshd,"> <rule id="5700" level="0" noalert="1"> <decoded_as>sshd</decoded_as> <description>SSHD messages grouped.</description> </rule> <rule id="100010" level="1" noalert="1"> <if_sid>5700</if_sid> <!-- srcip>192.168.100.100</srcip-- > ### Tried with this as well <match>Did not receive identification string from 192.168.100.100</match> <description>sshd: insecure connection attempt (scan) from Scanner</description> <mitre> <id>T1021.004</id> </mitre> <group>gdpr_IV_35.7.d,gpg13_4.12,nist_800_53_SI.4,pci_dss_11.4,recon,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group> </rule>

Motive was to suppress alerts generated by rule id - 5706 where srcip is 192.168.100.100. I have two more IPs for which same rule is created by looks like only this one is not working.

Sample Log:

Sep 5 01:37:50 agent-1 sshd[160547]: Did not receive identification string from 172.30.58.14 port 40930

Can someone please help in this?

Regards,KS

Ian Yenien Serrano

unread,
Sep 5, 2023, 8:00:51 AM9/5/23
to Wazuh | Mailing List
Hi Khul Sat, I will be looking for information on how to help you as soon as I get something I will let you know.

Ian Yenien Serrano

unread,
Sep 5, 2023, 8:12:23 AM9/5/23
to Wazuh | Mailing List
Does the rule work for only the one you mention, and the other 2 does not work? Or only for the one you mention does it not work?

Khul Sat

unread,
Sep 5, 2023, 9:29:15 AM9/5/23
to Wazuh | Mailing List

Hello Ian,
Apparently wazuh-logtest has started giving following warnings :

**Messages: WARNING: (7611): Category was not found. Invalid 'category'. Rule '5700' will be ignored. WARNING: (7617): Signature ID '5700' was not found and will be ignored in the 'if_sid' option of rule '100010'. WARNING: (7619): Empty 'if_sid' value. Rule '100010' will be ignored. WARNING: (7617): Signature ID '5700' was not found and will be ignored in the 'if_sid' option of rule '100011'. WARNING: (7619): Empty 'if_sid' value. Rule '100011' will be ignored. WARNING: (7617): Signature ID '5700' was not found and will be ignored in the 'if_sid' option of rule '100012'. WARNING: (7619): Empty 'if_sid' value. Rule '100012' will be ignored.

Your help is appreciated!

Regards,KS

Ian Yenien Serrano

unread,
Sep 5, 2023, 10:15:56 AM9/5/23
to Wazuh | Mailing List
I have it in mind, could you answer me what I asked you before?

Ian Yenien Serrano

unread,
Sep 5, 2023, 10:19:44 AM9/5/23
to Wazuh | Mailing List
But apparently it is not finding the rule with id 5700.

Khul Sat

unread,
Sep 5, 2023, 11:57:37 PM9/5/23
to Wazuh | Mailing List

Greetings!

I checked other 2 IPs under Discover but could not see any alert there. However if use wazuh-logtest, it says **Alert to be generated.
About the rule id 5700, it is present under default rules. Here are the details -

[root@mgr-1 ~]# grep 'rule id="5700"' -A4 -B4 /var/ossec/ruleset/rules/0095-sshd_rules.xml --> <group name="syslog,sshd,"> <rule id="5700" level="0" noalert="1"> <decoded_as>sshd</decoded_as> <description>SSHD messages grouped.</description> </rule> [root@mgr-1 ~]# . . . <truncated> . . . [root@mgr-1 ~]# grep 5706 -A8 /var/ossec/ruleset/rules/0095-sshd_rules.xml <rule id="5706" level="6"> <if_sid>5700</if_sid> <match>Did not receive identification string from</match> <description>sshd: insecure connection attempt (scan).</description> <mitre> <id>T1021.004</id> </mitre> <group>gdpr_IV_35.7.d,gpg13_4.12,nist_800_53_SI.4,pci_dss_11.4,recon,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group> </rule> [root@mgr-1 ~]#

Hope this answers!

Thanks,KS

Message has been deleted

Khul Sat

unread,
Sep 6, 2023, 12:21:49 AM9/6/23
to Wazuh | Mailing List

Hello Ian,

I was calling the custom rules before /var/ossec/ruleset/rules/0095-sshd_rules.xml and hence it was not able to find the rule id 5700 (hope my understanding is correct). I changed the file name of the custom rules & the warning message disappeared.
Though the default rule is still getting triggered -

**Phase 3: Completed filtering (rules). id: '5706' level: '6' description: 'sshd: insecure connection attempt (scan).' groups: '['syslog', 'sshd', 'recon']' firedtimes: '1' gdpr: '['IV_35.7.d']' gpg13: '['4.12']' mail: 'False' mitre.id: '['T1021.004']' mitre.tactic: '['Lateral Movement']' mitre.technique: '['SSH']' nist_800_53: '['SI.4']' pci_dss: '['11.4']' tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']' **Alert to be generated.

Thanks,

Ian Yenien Serrano

unread,
Sep 6, 2023, 3:25:10 AM9/6/23
to Wazuh | Mailing List

I understand, I share with you the documentation to create a custom rule from an existing rule so you know how to do it, I don't know if you have already seen it and regarding that you only see alerts of only 1 ip it may be because in the match you have written the 1 ip.

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-rule

Khul Sat

unread,
Sep 6, 2023, 5:01:57 AM9/6/23
to Wazuh | Mailing List

Hello Ian,

I tried modifying existing rule as well; but that did not work. I have 3 IPs which are to be whitelisted but that’s not working.
This one is the updated rule which now gives earlier warnings -

** Wazuh-Logtest: WARNING: (7611): Category was not found. Invalid 'category'. Rule '5700' will be ignored. ** Wazuh-Logtest: WARNING: (7617): Signature ID '5700' was not found and will be ignored in the 'if_sid' option of rule '5706'. ** Wazuh-Logtest: WARNING: (7619): Empty 'if_sid' value. Rule '5706' will be ignored.

Updated Rule:

<group name="syslog,sshd,"> <rule id="5700" level="0" noalert="1"> <decoded_as>sshd</decoded_as> <description>SSHD messages grouped.</description> </rule> <rule id="5706" level="6" overwrite="yes"> <if_sid>5700</if_sid> <srcip>!192.168.100.100</srcip> <match>Did not receive identification string from</match> <description>sshd: insecure connection attempt (scan).</description> <mitre> <id>T1021.004</id> </mitre> <group>gdpr_IV_35.7.d,gpg13_4.12,nist_800_53_SI.4,pci_dss_11.4,recon,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group> </rule> </group>

I am confused, why this is not working! :(

Ian Yenien Serrano

unread,
Sep 6, 2023, 6:16:58 AM9/6/23
to Wazuh | Mailing List
One question in the file /var/ossec/etc/rules/local_rules.xml where you copied the rule you want to modify, as the documentation says, you only copied the rule to modify, or you also copied the 5700?
If so, just copy the rule you are going to modify 

 On the other hand, for the possible negation you can also try what they say in this issue, which is to do it with the option negate="yes".

https://github.com/wazuh/wazuh/issues/16675#issuecomment-1503784230

Khul Sat

unread,
Sep 7, 2023, 6:53:15 AM9/7/23
to Wazuh | Mailing List

Thanks a lot!
This makes sense. It was working when I was on 4.3.10. Since I upgraded to 4.4.4, this is being observed. negate="yes" worked for me. Added 3 lines with different IPs.

:)
Regards,KS

Reply all
Reply to author
Forward
0 new messages