Suppressing False Positive Alerts in Wazuh for VirusTotal SHA1 Matches
Home > Wazuh > Suppressing False Positive Alerts in Wazuh for VirusTotal SHA1 Matches
Suppressing False Positive Alerts in Wazuh for VirusTotal SHA1 Matches
Objective
This document outlines the steps to suppress false positive alerts in Wazuh triggered by VirusTotal scores (e.g., score 1), where analysis concluded that the alerts are false positives. The solution involves the creation of custom rules to suppress alerts based on specific SHA1 hash values.
1. Default Wazuh Rule Overview
Wazuh is an open-source security monitoring platform that performs real-time intrusion detection, compliance monitoring, and incident response. Alerts in Wazuh are based on pre-defined rules. For this case, the default rule triggering alerts based on VirusTotal results is rule `87105`.
Default Rule Details
Explanation
• id="87105": The rule identifier. • level="12": Severity level (higher value indicates higher severity). • if_sid="87100": This rule is triggered when rule ID 87100 is matched. • field name="virustotal.malicious": The rule checks the malicious field returned by VirusTotal. • virustotal.positives: Indicates the number of VirusTotal engines that flagged the file. • group: This rule is part of several compliance frameworks (e.g., PCI-DSS, GDPR). • mitre: Maps to a specific MITRE ATT&CK technique (T1203 - Exploitation for Client Execution).
This rule triggers an alert whenever a file analyzed by VirusTotal has been flagged as malicious by at least one antivirus engine.
2. False Positive Detection
A false positive occurs when a file is incorrectly identified as malicious by security software. In this case, several SHA1 hashes were flagged by VirusTotal, but after further analysis, these alerts were determined to be false positives. The following SHA1 values were identified:
False Positive SHA1 Hashes
• f980f325b04d8f18f4fd73bb31f765806b3beda8 • 356a192b7913b04c54574d18c28d46e6395428ab • 3a52ce780950d4d969792a2559cd519d7ee8c727 • 1d102a8cf9879ceec3a7b26104b12e875c13d6a7 • b6589fc6ab0dc82cf12099d1c2d40ab994e8410c • 6ea8fd4669fc7f051922f3b9a42479edde770567 • 888dfcfed063797ac4418e2e17c095629172d67d • 6db82df400e40b4910ffaf507cf446ed8c69f161
3. Custom Rule Creation to Suppress False Positive Alerts
To suppress these false positive alerts, a custom rule was created in Wazuh. This rule will filter out alerts related to the identified SHA1 hashes.
- The custom rule file path is /var/ossec/etc/rules/local_rules.xml.
- copy and paste the below custom rule inside the <group> tab in custom rule file.
- Then save the file and exit.
- Restart the wazuh-manager service to apply changes.
Custom Rule Details
<rule id="100301" level="0">
<if_sid>87105</if_sid>
<field name="virustotal.sha1">^f980f325b04d8f18f4fd73bb31f765806b3beda8$|^3a52ce780950d4d969792a2559cd519d7ee8c727$|^6db82df400e40b4910ffaf507cf446ed8c69f161$|^888dfcfed063797ac4418e2e17c095629172d67d$|^6ea8fd4669fc7f051922f3b9a42479edde770567$|^356a192b7913b04c54574d18c28d46e6395428ab$|^b6589fc6ab0dc82cf12099d1c2d40ab994e8410c$|^1d102a8cf9879ceec3a7b26104b12e875c13d6a7$</field>
<description>VirusTotal alert suppressed for SHA1 value: $(virustotal.sha1)</description>
<group>pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,</group>
<options>no_full_log</options>
<mitre>
<id>T1203</id>
</mitre>
</rule>
Explanation
• id="100301": Custom rule ID for suppressing alerts. • level="0": Severity level set to 0, indicating no alert is generated for matching events. • if_sid="87105": This custom rule applies only to events that were triggered by rule 87105. • field name="virustotal.sha1": This field is used to match the SHA1 value in the VirusTotal data. • Regex: The custom rule uses a regular expression (^...$) to match any of the identified false positive SHA1 hashes. • description: Provides a description stating that the VirusTotal alert is suppressed for the matched SHA1. • group: The rule is still part of various compliance frameworks (e.g., PCI-DSS, GDPR). • mitre: Same MITRE ATT&CK technique (T1203).
4. Testing the Custom Rule with Wazuh-Logtest
The Logtest output shows the sequence of steps Wazuh followed to decode the event, match it against custom rules, and ultimately suppress the alert for the identified false positive. The custom rule with id: 100301 has successfully suppressed the alert generated by the default VirusTotal rule id: 87105, as it matched the specific SHA1 hash of a file flagged as malicious.
Logtest Output
**Messages:
WARNING: (7003): 'fa395d26' token expires
INFO: (7202): Session initialized with token '613b6850'
**Phase 1: Completed pre-decoding.
full event: '{"virustotal": {"found": 1, "malicious": 1, "source": {"alert_id": "1758690172.299998863", "file": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MessagingService_62afc0a\\TriggerInfo\\0", "md5": "ced165163e51e06e01dc44c35fea3eaf", "sha1": "1d102a8cf9879ceec3a7b26104b12e875c13d6a7"}, "sha1": "1d102a8cf9879ceec3a7b26104b12e875c13d6a7", "scan_date": "2025-09-24 04:50:49", "positives": 1, "total": 62, "permalink": "https://www.virustotal.com/gui/file/ae5ce162888ee3ebe974976cac5ab94a3f55049f8515884883d579fb3fa378d2/detection/f-ae5ce162888ee3ebe974976cac5ab94a3f55049f8515884883d579fb3fa378d2-1758689449"}, "integration": "virustotal"}'
**Phase 2: Completed decoding.
name: 'json'
integration: 'virustotal'
virustotal.found: '1'
virustotal.malicious: '1'
virustotal.permalink: 'https://www.virustotal.com/gui/file/ae5ce162888ee3ebe974976cac5ab94a3f55049f8515884883d579fb3fa378d2/detection/f-ae5ce162888ee3ebe974976cac5ab94a3f55049f8515884883d579fb3fa378d2-1758689449'
virustotal.positives: '1'
virustotal.scan_date: '2025-09-24 04:50:49'
virustotal.sha1: '1d102a8cf9879ceec3a7b26104b12e875c13d6a7'
virustotal.source.alert_id: '1758690172.299998863'
virustotal.source.file: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_62afc0a\TriggerInfo\0'
virustotal.source.md5: 'ced165163e51e06e01dc44c35fea3eaf'
virustotal.source.sha1: '1d102a8cf9879ceec3a7b26104b12e875c13d6a7'
virustotal.total: '62'
**Phase 3: Completed filtering (rules).
id: '100300'
level: '0'
description: 'VirusTotal alert suppressed for SHA1 value: 1d102a8cf9879ceec3a7b26104b12e875c13d6a7'
groups: '["virustotal"]'
firedtimes: '1'
mail: 'false'
