Custom Rule Suppression for a Single agent

[Shine Cardozo]

Hi Team

Is there a way to set custom rules for a single agent. The rest of the agents I want the rules to be the same as usual but for only one of my agent I want to remove/suppress some rules.

I have checked the documentation but it is not clear as to where I have to modify the rules in a way that they will affect only certain agents.

Regards

Shine

[Alberto Rodriguez]

Hello Shine

Let’s say that you have a rule 100001, which has level 12 and it is triggering alerts for all agents and you want to get those alerts for all agents except, let’s say, agent name windows1 and windows1. You should create a 100001 child rule, with level 0,
using hostname.
Example:

<rule id="100002" level="0">
  <if_sid>100001</if_sid>   
  <hostname>^windows1$|^windows2$</hostname>
  <description>Ignoring Windows1 and Windows2.</description> 
</rule>

Hope it helps.
Regards,
Alberto R.

​

[Shine Cardozo]

Dear Alberto

Thanks for your kind reply.

Just want to make sure, so let us consider a system agent with

agent.name: system.001

agent.id: 005

In the above case will I have to modify the rule as follows?

<rule id="100002" level="0"> <if_sid>100001</if_sid> <hostname>^system.001$</hostname> <description>Ignoring system.001</description> </rule>

OR

<rule id="100002" level="0"> <if_sid>100001</if_sid> <hostname>^005$</hostname> <description>Ignoring agent with id 005</description> </rule>

I want to know if it's the agent name or the agent id or some other parameter from where we get the hostname.

Also this child rule, does it have to be updated in the local.yml or does the file present in the ruleset directory need to be modified.

Regards

Shine Cardozo | System and Network Administrator CodeMax IT Solutions Pvt. Ltd.

Email shine.cardozo@CdMx.in Address A-201/202, 2nd Floor, Asian Costa Pinnacle, Behind Hotel Surya Palace, Fatorda, Margao, Goa (403602) Mobile +91 7385666948  Website CdMx.in

This e-mail may contain privileged and confidential information which is the property of CodeMax IT Solutions Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. CodeMax IT Solutions Pvt. Ltd. does not accept any liability for virus infected e-mails.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/12a6af0a-747c-4a1e-9c59-b8414373afc9n%40googlegroups.com.

[Shine Cardozo]

Dear Alberto

To be precise I want to suppress the following alert:

<group name="web,accesslog,">
  <rule id="31151" level="10" frequency="14" timeframe="90">
    <if_matched_sid>31101</if_matched_sid>
    <hostname>agent.name</hostname>
    <description>Alerts Suppressed.</description>
  </rule>
</group>

The error I get is: Error validating configuration: Duplicate rule ID:31151 and I want to override this particular rule for that one agent as mentioned above.

Shine Cardozo | System and Network Administrator CodeMax IT Solutions Pvt. Ltd.

Email shine.cardozo@CdMx.in Address A-201/202, 2nd Floor, Asian Costa Pinnacle, Behind Hotel Surya Palace, Fatorda, Margao, Goa (403602) Mobile +91 7385666948  Website CdMx.in

This e-mail may contain privileged and confidential information which is the property of CodeMax IT Solutions Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. CodeMax IT Solutions Pvt. Ltd. does not accept any liability for virus infected e-mails.

[Sandra Ocando]

Hello Shine,To suppress rule 31151 for a given agent, you can add a child rule with level 0. To do so, add the following block in your /var/ossec/etc/rules/local_rules.xml file:

<group name="web,accesslog,">

  <rule id="100002" level="0">
    <if_sid>31151</if_sid>
    <hostname>AGENT_NAME</hostname>
    <description>Silence rule 31151</description>
  </rule>

</group>

Replace AGENT_NAME with your agent name (not ID) and restart the Wazuh manager.Best regards,
Sandra.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAJ6b3WwV7HbGTsmfYzyNSEq8rw80wYhkR3%3DHa0VPcrwHDBPkcQ%40mail.gmail.com.