Wazuh Rule Syntax
258 views
Skip to first unread message
Tom Powers
Aug 3, 2022, 2:10:58 PM8/3/22
to Wazuh mailing list
Hello,
So I'm tracking event 4688 (process starts) in Wazuh and I'm looking to create a rule that looks at the event and escalates the event to level 13 based on matching a regex against the command line.
The example of a command would be
java.exe -enc dselwqbrrr43jh5n342lkrjf32k4ljn5kl43j523oybu2b34uweyfcws8cd7ewhcw8e7hcn34nj5ri3j29weuinc9n9w8eunc9ewn9c8wdselwqbrrr43jh5n342lkrjf32k4ljn5kl43j523oybu2b34uweyfcws8cd7ewhcw8e7hcn34nj5ri3j29weuinc9n9w8eunc9ewn9c8wdselwqbrrr43jh5n342lkrjf32k4ljn5kl43j523oybu2b34uweyfcws8cd7ewhcw8e7hcn34nj5ri3j29weuinc9n9w8eunc9ewn9c8wdselwqbrrr43jh5n342lkrjf32k4ljn5kl43j523oybu2b34uweyfcws8cd7ewhcw8e7hcn34nj5ri3j29weuinc9n9w8eunc9ewn9c8wdselwqbrrr43jh5n342lkrjf32k4ljn5kl43j523oybu2b34uweyfcws8cd7ewhcw8e7hcn34nj5ri3j29weuinc9n9w8eunc9ewn9c8wdselwqbrrr43jh5n342lkrjf32k4ljn5kl43j523oybu2b34uweyfcws8cd7ewhcw8e7hcn34nj5ri3j29weuinc9n9w8eunc9ewn9c8wdselwqbrrr43jh5n342lkrjf32k4ljn5kl43j523oybu2b34uweyfcws8cd7ewhcw8e7hcn34nj5ri3j29weuinc9n9w8eunc9ewn9c8wdselwqbrrr43jh5n342lkrjf32k4ljn5kl43j523oybu2b34uweyfcws8cd7ewhcw8e7hcn34nj5ri3j29weuinc9n9w8eunc9ewn9c8wdselwqbrrr43jh5n342lkrjf32k4ljn5kl43j523oybu2b34uweyfcws8cd7ewhcw8e7hcn34nj5ri3j29weuinc9n9w8eunc9ewn9c8wdselwqbrrr43jh5n342lkrjf32k4ljn5kl43j523oybu2b34uweyfcws8cd7ewhcw8e7hcn34nj5ri3j29weuinc9n9w8eunc9ewn9c8w
In powershell, the regex to dig this out would be [a-zA-Z0-9/+=]{500}
But that doesnt work in Wazuh...so the syntax must be incorrect
Here's the 2 rules in question
<rule id="120001" level="5">
<if_sid>60103</if_sid>
<field name="win.system.eventID">4688</field>
<description>New Process Detected</description>
</rule>
<rule id="130001" level="13">
<if_sid>120001</if_sid>
<field name="win.eventdata.commandLine">[a-zA-Z0-9/+=]{500}</field>
<description>Suspect Event</description>
</rule>
<rule id="120001" level="5">
<if_sid>60103</if_sid>
<field name="win.system.eventID">4688</field>
<description>New Process Detected</description>
</rule>
<rule id="130001" level="13">
<if_sid>120001</if_sid>
<field name="win.eventdata.commandLine">[a-zA-Z0-9/+=]{500}</field>
<description>Suspect Event</description>
</rule>
And the above command comes through as a match for rule 120001 but not 130001
All insight is appreciated
Tom
Delfina Lizarralde Bressan
Aug 3, 2022, 3:01:29 PM8/3/22
to Wazuh mailing list
Hi Thomas!
Thanks for using Wazuh.
Let me check this and I will get back to you.
Delfina Lizarralde Bressan
Aug 3, 2022, 3:30:29 PM8/3/22
to Wazuh mailing list
Thomas,
Sometimes the os_regex engine has problems.
Could you try with the pcre2 engine?
The rule would be like this:
<rule id="130001" level="13">
<if_sid>120001</if_sid>
<field name="win.eventdata.commandLine" type="pcre2">[a-zA-Z0-9/+=]{500}</field>
<description>Suspect Event</description>
</rule>
Please let me know if this works.
Regards.
Tom Powers
Aug 3, 2022, 3:34:13 PM8/3/22
to Wazuh mailing list
That works!! Thanks
Reply all
Reply to author
Forward
0 new messages