Difference between revisions of "Wazuh Custom Rule Creation"

From Notes_Wiki
 
(10 intermediate revisions by the same user not shown)
Line 3: Line 3:
= Wazuh Custom Rule Creation =
= Wazuh Custom Rule Creation =


In Wazuh, we have two types of rules:
In Wazuh, we analyze triggered alerts by reviewing fields such as '''rule.description, full log details, srcip, rule.level''', and others. Additionally, we leverage threat intelligence platforms like '''VirusTotal, AbuseIPDB''', and similar sources to investigate data points such as attacker IPs or file hash values. Based on this comprehensive analysis, we determine whether an alert represents a true positive or a false positive. Depending on the outcome, we either create custom rules or modify existing default rules by adjusting parameters like the rule level, ID, description, and other relevant settings.
 
In Wazuh, there are two types of rules:
 
# Default rules
# Default rules
# Custom rules
# Custom rules
Line 9: Line 12:
== Default Rules ==
== Default Rules ==


Wazuh’s default rules are pre-configured rules included with every Wazuh installation. These can be found on the Wazuh server at:
Wazuh’s default rules are pre-configured rules included with every Wazuh installation. These are located at:
 
<code>/var/ossec/ruleset/rules/</code>
 
These rules are designed to monitor a broad spectrum of security events and log sources, providing a solid foundation for detecting common security threats such as attacks, vulnerabilities, and suspicious activities.
 
'''Note:''' Modifying existing default rules is '''not recommended''' directly.
 
=== Creating Custom Rule by Modifing Existing Rules ===
 
Wazuh allows us to modify its built-in rules by copying them to:
 
<code>/var/ossec/etc/rules/local_rules.xml</code>
 
To override a rule, add the attribute <code>overwrite="yes"</code>.
 
==== Sample Event Log ====
 
<pre>
Jun 06 08:46:21 thehive sshd[2556]: Invalid user test from 10.9.8.16 port 39496
</pre>
 
Let's use this example with Rule ID 5710: ''sshd: Attempt to login using a non-existent user''.
 
==== Default Rule Definition ====


<code>/var/ossec/ruleset/rules/</code>
Below is the default rule definition triggered for rule ID 5710:


These rules are designed to monitor a broad spectrum of security events and log sources, providing a solid foundation for detecting common security threats. They help identify different types of attacks, vulnerabilities, and suspicious activities.
<pre>
<group name="syslog,sshd,">
  <rule id="5710" level="5">
    <if_sid>5700</if_sid>
    <match>illegal user|invalid user</match>
    <description>sshd: Attempt to login using a non-existent user</description>
    <mitre>
      <id>T1110.001</id>
      <id>T1021.004</id>
    </mitre>
    <group>authentication_failed,gdpr_IV_35.7.d,...</group>
  </rule>
</group>
</pre>


'''Note:''' Modifying existing rules is not recommended.
==== Example 1: Change Alert Level ====
 
Modifying the severity level of the existing rule for '''sshd: Attempt to login using a non-existent user''' (Rule ID 5710) from level 5 to level 10. The updated rule is shown below:
 
 
<pre>
<group name="syslog,sshd,">
  <rule id="5710" level="10" overwrite="yes">
    <if_sid>5700</if_sid>
    <match>illegal user|invalid user</match>
    <description>sshd: Attempt to login using a non-existent user</description>
    <mitre>
      <id>T1110.001</id>
      <id>T1021.004</id>
    </mitre>
    <group>authentication_failed,gdpr_IV_35.7.d,...</group>
  </rule>
</group>
</pre>
 
==== Example 2: Match by Hostname ====
 
We now include the '''<hostname>''' tag in the rule to ensure that alerts are triggered only when the hostname in the event log matches the specified value. If the hostname does not match, the rule will not activate, even if all other conditions in the event are met
 
<pre>
<group name="syslog,sshd,">
  <rule id="5710" level="10" overwrite="yes">
    <if_sid>5700</if_sid>
    <match>illegal user|invalid user</match>
    <hostname>t-t</hostname>
    <description>sshd: Attempt to login using a non-existent user</description>
    <mitre>
      <id>T1110.001</id>
      <id>T1021.004</id>
    </mitre>
    <group>authentication_failed,gdpr_IV_35.7.d,...</group>   
  </rule>
</group>
</pre>
 
==== Example 3: Match by Source IP ====
 
We now add the '''<srcip>''' tag to the rule to ensure that alerts are triggered only when the source IP address in the event log matches the specified value. If the source IP does not match, the rule will not trigger even if the rest of the event content meets the other conditions.
 
<pre>
<group name="syslog,sshd,">
  <rule id="5710" level="10" overwrite="yes">
    <if_sid>5700</if_sid>
    <match>illegal user|invalid user</match>
    <srcip>10.9.8.16</srcip>
    <description>sshd: Attempt to login using a non-existent user</description>
    <mitre>
      <id>T1110.001</id>
      <id>T1021.004</id>
    </mitre>
    <group>authentication_failed,gdpr_IV_35.7.d,...</group> 
  </rule>
</group>
</pre>


== Custom Rules ==
== Custom Rules ==


Custom rules are used in Wazuh to define specific conditions or patterns for how an alert will be triggered.
In Wazuh, custom rules are used to define specific conditions or patterns that determine when an alert should be triggered. These rules enable users to customize security monitoring based on the unique needs of their environment. Unlike default rules, which come pre-configured with Wazuh, custom rules are user-defined and maintained to address specialized security requirements or to refine detection logic. Custom rules are written in the file located at:
  <code>/var/ossec/rules/local_rules.xml</code>


They allow users to tailor security monitoring to meet specific needs. Unlike default rules, custom rules are created and managed by users and are defined in the file:
Use custom rule IDs (100000 to 120000) to avoid conflicts.


<code>/var/ossec/etc/rules/local_rules.xml</code>
=== Basic Custom Rule Structure ===


=== Basic Structure of a Custom Rule ===
Below is the basic structure of a custom rule with mandatory tags and in further examples below we add some other tags like '''<group>''', '''<mitre>''' etc. for better classification and fine tuning the alert generation.


<pre>
<pre>
Line 37: Line 136:
</pre>
</pre>


== How to Check If an Alert Is Triggering for a Log ==
=== Testing Rules ===


Use the <code>wazuh-logtest</code> binary utility provided by the Wazuh Manager.
Use the following binary to test log matches:


=== Example Event Log ===
<code>/var/ossec/bin/wazuh-logtest</code>


<code>Jun 05 09:48:16 shuffle sshd[6670]: Failed password for shuffle from 10.9.8.16 port 57868 ssh2</code>
'''Example Log''':


Run <code>/var/ossec/bin/wazuh-logtest</code> and paste the above log.
<pre>
Jun 05 09:48:16 shuffle sshd[6670]: '''Failed password for shuffle from 10.9.8.16 port 57868 ssh2'''
</pre>


=== Example Output ===
'''Run''':


<code>/var/ossec/bin/wazuh-logtest</code>
Paste the log and observe the output.
==== Sample Output ====
Below is the output for the example log:
<pre>
<pre>
**Phase 1: Completed pre-decoding.
**Phase 1: Completed pre-decoding.
    full event: 'Jun 05 09:48:16 shuffle sshd[6670]: Failed password for shuffle from 10.9.8.16 port 57868 ssh2'
full event: 'Jun 05 09:48:16 shuffle sshd[6670]: Failed password for shuffle from 10.9.8.16 port 57868 ssh2'
    timestamp: 'Jun 05 09:48:16'
timestamp: 'Jun 05 09:48:16'
    hostname: 'shuffle'
hostname: 'shuffle'
    program_name: 'sshd'
program_name: 'sshd'


**Phase 2: Completed decoding.
**Phase 2: Completed decoding.
    name: 'sshd'
name: 'sshd'
    parent: 'sshd'
parent: 'sshd'
    dstuser: 'shuffle'
dstuser: 'shuffle'
    srcip: '10.9.8.16'
srcip: '10.9.8.16'
    srcport: '57868'
srcport: '57868'


**Phase 3: Completed filtering (rules).
**Phase 3: Completed filtering (rules).
    id: '5760'
id: '5760'
    level: '5'
level: '5'
    description: 'sshd: authentication failed.'
description: 'sshd: authentication failed.'
    groups: '['syslog', 'sshd', 'authentication_failed']'
groups: '['syslog', 'sshd', 'authentication_failed']'
    firedtimes: '1'
firedtimes: '1'
    gdpr: '['IV_35.7.d', 'IV_32.2']'
gdpr: '['IV_35.7.d', 'IV_32.2']'
    gpg13: '['7.1']'
gpg13: '['7.1']'
    hipaa: '['164.312.b']'
hipaa: '['164.312.b']'
    mail: 'False'
mail: 'False'
    mitre.id: '['T1110.001', 'T1021.004']'
mitre.id: '['T1110.001', 'T1021.004']'
    mitre.tactic: '['Credential Access', 'Lateral Movement']'
mitre.tactic: '['Credential Access', 'Lateral Movement']'
    mitre.technique: '['Password Guessing', 'SSH']'
mitre.technique: '['Password Guessing', 'SSH']'
    nist_800_53: '['AU.14', 'AC.7']'
nist_800_53: '['AU.14', 'AC.7']'
    pci_dss: '['10.2.4', '10.2.5']'
pci_dss: '['10.2.4', '10.2.5']'
    tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
**Alert to be generated.
</pre>
</pre>


This confirms that the event log triggers an alert with:
==== Triggered Rule ====
* rule.id: 5760
This is the default rule definition for the example log above:
* rule.level: 5
* description: sshd: authentication failed
* groups: syslog, sshd, authentication_failed
 
=== Rule Definition That Triggered the Above Log ===
 
<pre>
<pre>
<group name="syslog,sshd,">
<group name="syslog,sshd,">
Line 105: Line 206:
</pre>
</pre>


== Creating Custom Rules ==
=== Creating Custom Rules ===


=== Example 1: Basic Custom Rule ===
=== Example 1: Basic Custom Rule ===
Modify the default alert rule by creating a custom rule in <code>/var/ossec/etc/rules/local_rules.xml</code>:


<pre>
<pre>
Line 121: Line 220:
</pre>
</pre>


==== Breakdown ====
'''Explanation:'''
* <code>&lt;group&gt;</code>: Assigns group name to rule
* <code>&lt;group&gt;</code> Assigns a group name
* <code>&lt;rule&gt;</code>: Defines custom rule ID and level
* <code>&lt;rule&gt;</code> — Custom ID and severity
* <code>&lt;if_sid&gt;</code>: Applies this rule only if rule ID 5760 is triggered
* <code>&lt;if_sid&gt;</code> — Triggers only if rule 5760 matches
* <code>&lt;match&gt;</code>: Matches strings in the event log
* <code>&lt;match&gt;</code> — String match
* <code>&lt;description&gt;</code>: Explains the rule’s purpose
* <code>&lt;description&gt;</code> — Rule purpose
 
==== wazuh-logtest Output ====
 
<pre>
**Phase 1: Completed pre-decoding.
full event: 'Jun 05 09:48:16 shuffle sshd[6670]: Failed password for shuffle from 10.9.8.16 port 57868 ssh2'
timestamp: 'Jun 05 09:48:16'
hostname: 'shuffle'
program_name: 'sshd'
 
**Phase 2: Completed decoding.
name: 'sshd'
parent: 'sshd'
dstuser: 'shuffle'
srcip: '10.9.8.16'
srcport: '57868'


This rule is general and doesn't specify tags like IP or hostname, so it will trigger alerts regardless of source or destination.
**Phase 3: Completed filtering (rules).
  id: '100002'
  level: '3'
  description: 'custom rule for sshd authentication failed.'
  groups: '['custom_rule']'
  firedtimes: '1'
  mail: 'False'
**Alert to be generated.
</pre>


=== Example 2: Rule Based on Source IP ===
=== Example 2: Match srcip ===
The below rule will only trigger an alert if both specified conditions the hostname and the source IP address are simultaneously met in the incoming log data. This means that even if the log contains the correct source IP but the hostname doesn't match (or vice versa), the rule will not activate. Both criteria must align exactly with the values defined in the rule for it to be evaluated as a match and generate an alert.


<pre>
<pre>
Line 137: Line 261:
     <if_sid>5760</if_sid>
     <if_sid>5760</if_sid>
     <match>Failed password|Failed keyboard|authentication error</match>
     <match>Failed password|Failed keyboard|authentication error</match>
    <srcip>10.9.8.16</srcip>
     <description>Custom rule for SSHD authentication failures.</description>
     <description>Custom rule for SSHD authentication failures.</description>
    <srcip>10.9.8.16</srcip>
     <group>authentication_failed,sshd</group>
     <group>authentication_failed,sshd</group>
     <mitre>
     <mitre>
Line 153: Line 277:
* <code>&lt;srcip&gt;</code>: Only triggers if source IP matches
* <code>&lt;srcip&gt;</code>: Only triggers if source IP matches


=== Example 3: Rule Based on Source IP and Hostname ===
=== Example 3: Match srcip and hostname ===
The alert will fire only if both the source IP and hostname match the specified values. If either the source IP differs or the hostname does not match, the custom rule will not apply and in such cases, the default alert will be triggered instead. This mechanism allows for more accurate and focused alerting by restricting rule execution to specific hosts and IP addresses linked to potential threats.


<pre>
<pre>
Line 160: Line 285:
     <if_sid>5760</if_sid>
     <if_sid>5760</if_sid>
     <match>Failed password|Failed keyboard|authentication error</match>
     <match>Failed password|Failed keyboard|authentication error</match>
    <description>Custom rule for SSHD authentication failures.</description>
     <srcip>10.9.8.16</srcip>
     <srcip>10.9.8.16</srcip>
     <hostname>t-t</hostname>
     <hostname>t-t</hostname>
    <description>Custom rule for SSHD authentication failures.</description>
     <group>authentication_failed,sshd</group>
     <group>authentication_failed,sshd</group>
     <mitre>
     <mitre>
Line 175: Line 300:
* <code>&lt;srcip&gt;</code>: Triggers only if source IP matches
* <code>&lt;srcip&gt;</code>: Triggers only if source IP matches
* <code>&lt;hostname&gt;</code>: Triggers only if hostname matches
* <code>&lt;hostname&gt;</code>: Triggers only if hostname matches
=== Example 4: Adding Multiple Rule ID's in a Custom Rule ===
To add multiple rule ID's in a custom rule, we give the rule ID's by separating them with a coma inside the '''<if_sid>''' tag.
For this example I have taken three example rule IDs, they are:
<pre>
Logon Failure - Unknown user or bad password - 60122
syslog: User missed the password more than one time - 2502
PAM: User login failed. - 5503
</pre>
If any of the three rules (60122, 2502, or 5503) trigger, this custom rule will also trigger. We can chage the rule level based on our priority.
Below is the example custom rule defination:
<pre>
<group name="custom_rule">
  <rule id="100030" level="10">
    <if_sid>60122,2502,5503</if_sid>
    <description>Custom alert for multiple types of failed login attempts</description>
    <group>authentication_failed,login_attempts</group>
    <mitre>
      <id>T1110.001</id>
    </mitre>
  </rule>
</group>
</pre>

Latest revision as of 13:20, 6 June 2025

Home > Wazuh > Wazuh Custom Rule Creation

Wazuh Custom Rule Creation

In Wazuh, we analyze triggered alerts by reviewing fields such as rule.description, full log details, srcip, rule.level, and others. Additionally, we leverage threat intelligence platforms like VirusTotal, AbuseIPDB, and similar sources to investigate data points such as attacker IPs or file hash values. Based on this comprehensive analysis, we determine whether an alert represents a true positive or a false positive. Depending on the outcome, we either create custom rules or modify existing default rules by adjusting parameters like the rule level, ID, description, and other relevant settings.

In Wazuh, there are two types of rules:

  1. Default rules
  2. Custom rules

Default Rules

Wazuh’s default rules are pre-configured rules included with every Wazuh installation. These are located at: 

/var/ossec/ruleset/rules/

These rules are designed to monitor a broad spectrum of security events and log sources, providing a solid foundation for detecting common security threats such as attacks, vulnerabilities, and suspicious activities.

Note: Modifying existing default rules is not recommended directly.

Creating Custom Rule by Modifing Existing Rules

Wazuh allows us to modify its built-in rules by copying them to: 

/var/ossec/etc/rules/local_rules.xml

To override a rule, add the attribute overwrite="yes".

Sample Event Log

Jun 06 08:46:21 thehive sshd[2556]: Invalid user test from 10.9.8.16 port 39496

Let's use this example with Rule ID 5710: sshd: Attempt to login using a non-existent user.

Default Rule Definition

Below is the default rule definition triggered for rule ID 5710: 

<group name="syslog,sshd,">
  <rule id="5710" level="5">
    <if_sid>5700</if_sid>
    <match>illegal user|invalid user</match>
    <description>sshd: Attempt to login using a non-existent user</description>
    <mitre>
      <id>T1110.001</id>
      <id>T1021.004</id>
    </mitre>
    <group>authentication_failed,gdpr_IV_35.7.d,...</group>
  </rule>
</group>

Example 1: Change Alert Level

Modifying the severity level of the existing rule for sshd: Attempt to login using a non-existent user (Rule ID 5710) from level 5 to level 10. The updated rule is shown below: 


<group name="syslog,sshd,">
  <rule id="5710" level="10" overwrite="yes">
    <if_sid>5700</if_sid>
    <match>illegal user|invalid user</match>
    <description>sshd: Attempt to login using a non-existent user</description>
    <mitre>
      <id>T1110.001</id>
      <id>T1021.004</id>
    </mitre>
    <group>authentication_failed,gdpr_IV_35.7.d,...</group>
  </rule>
</group>

Example 2: Match by Hostname

We now include the <hostname> tag in the rule to ensure that alerts are triggered only when the hostname in the event log matches the specified value. If the hostname does not match, the rule will not activate, even if all other conditions in the event are met 

<group name="syslog,sshd,">
  <rule id="5710" level="10" overwrite="yes">
    <if_sid>5700</if_sid>
    <match>illegal user|invalid user</match>
    <hostname>t-t</hostname>
    <description>sshd: Attempt to login using a non-existent user</description>
    <mitre>
      <id>T1110.001</id>
      <id>T1021.004</id>
    </mitre>
    <group>authentication_failed,gdpr_IV_35.7.d,...</group>    
  </rule>
</group>

Example 3: Match by Source IP

We now add the <srcip> tag to the rule to ensure that alerts are triggered only when the source IP address in the event log matches the specified value. If the source IP does not match, the rule will not trigger even if the rest of the event content meets the other conditions. 

<group name="syslog,sshd,">
  <rule id="5710" level="10" overwrite="yes">
    <if_sid>5700</if_sid>
    <match>illegal user|invalid user</match>
    <srcip>10.9.8.16</srcip>
    <description>sshd: Attempt to login using a non-existent user</description>
    <mitre>
      <id>T1110.001</id>
      <id>T1021.004</id>
    </mitre>
    <group>authentication_failed,gdpr_IV_35.7.d,...</group>   
  </rule>
</group>

Custom Rules

In Wazuh, custom rules are used to define specific conditions or patterns that determine when an alert should be triggered. These rules enable users to customize security monitoring based on the unique needs of their environment. Unlike default rules, which come pre-configured with Wazuh, custom rules are user-defined and maintained to address specialized security requirements or to refine detection logic. Custom rules are written in the file located at: 

 /var/ossec/rules/local_rules.xml

Use custom rule IDs (100000 to 120000) to avoid conflicts.

Basic Custom Rule Structure

Below is the basic structure of a custom rule with mandatory tags and in further examples below we add some other tags like <group>, <mitre> etc. for better classification and fine tuning the alert generation. 

<group name="custom_name,">
  <rule id="100010" level="5">
    <if_sid>...</if_sid>
    <match>...</match>
    <description>...</description>
  </rule>
</group>

Testing Rules

Use the following binary to test log matches: 

/var/ossec/bin/wazuh-logtest

Example Log: 

Jun 05 09:48:16 shuffle sshd[6670]: '''Failed password for shuffle from 10.9.8.16 port 57868 ssh2'''

Run: 

/var/ossec/bin/wazuh-logtest

Paste the log and observe the output.

Sample Output

Below is the output for the example log: 

**Phase 1: Completed pre-decoding.
	full event: 'Jun 05 09:48:16 shuffle sshd[6670]: Failed password for shuffle from 10.9.8.16 port 57868 ssh2'
	timestamp: 'Jun 05 09:48:16'
	hostname: 'shuffle'
	program_name: 'sshd'

**Phase 2: Completed decoding.
	name: 'sshd'
	parent: 'sshd'
	dstuser: 'shuffle'
	srcip: '10.9.8.16'
	srcport: '57868'

**Phase 3: Completed filtering (rules).
	id: '5760'
	level: '5'
	description: 'sshd: authentication failed.'
	groups: '['syslog', 'sshd', 'authentication_failed']'
	firedtimes: '1'
	gdpr: '['IV_35.7.d', 'IV_32.2']'
	gpg13: '['7.1']'
	hipaa: '['164.312.b']'
	mail: 'False'
	mitre.id: '['T1110.001', 'T1021.004']'
	mitre.tactic: '['Credential Access', 'Lateral Movement']'
	mitre.technique: '['Password Guessing', 'SSH']'
	nist_800_53: '['AU.14', 'AC.7']'
	pci_dss: '['10.2.4', '10.2.5']'
	tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.

Triggered Rule

This is the default rule definition for the example log above: 

<group name="syslog,sshd,">
  <rule id="5760" level="5">
    <if_sid>5700,5716</if_sid>
    <match>Failed password|Failed keyboard|authentication error</match>
    <description>sshd: authentication failed.</description>
    <mitre>
      <id>T1110.001</id>
      <id>T1021.004</id>
    </mitre>
    <group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
</group>

Creating Custom Rules

Example 1: Basic Custom Rule

<group name="custom_rule,">
  <rule id="100002" level="3">
    <if_sid>5760</if_sid>
    <match>Failed password|Failed keyboard|authentication error</match>
    <description>custom rule for sshd authentication failed.</description>
  </rule>
</group>

Explanation:

  • <group> — Assigns a group name
  • <rule> — Custom ID and severity
  • <if_sid> — Triggers only if rule 5760 matches
  • <match> — String match
  • <description> — Rule purpose

wazuh-logtest Output

**Phase 1: Completed pre-decoding.
	full event: 'Jun 05 09:48:16 shuffle sshd[6670]: Failed password for shuffle from 10.9.8.16 port 57868 ssh2'
	timestamp: 'Jun 05 09:48:16'
	hostname: 'shuffle'
	program_name: 'sshd'

**Phase 2: Completed decoding.
	name: 'sshd'
	parent: 'sshd'
	dstuser: 'shuffle'
	srcip: '10.9.8.16'
	srcport: '57868'

**Phase 3: Completed filtering (rules).
  id: '100002'
  level: '3'
  description: 'custom rule for sshd authentication failed.'
  groups: '['custom_rule']'
  firedtimes: '1'
  mail: 'False'
**Alert to be generated.

Example 2: Match srcip

The below rule will only trigger an alert if both specified conditions the hostname and the source IP address are simultaneously met in the incoming log data. This means that even if the log contains the correct source IP but the hostname doesn't match (or vice versa), the rule will not activate. Both criteria must align exactly with the values defined in the rule for it to be evaluated as a match and generate an alert. 

<group name="custom_rule">
  <rule id="100002" level="3">
    <if_sid>5760</if_sid>
    <match>Failed password|Failed keyboard|authentication error</match>
    <srcip>10.9.8.16</srcip>
    <description>Custom rule for SSHD authentication failures.</description>
    <group>authentication_failed,sshd</group>
    <mitre>
      <id>T1110.001</id>
      <id>T1021.004</id>
    </mitre>
  </rule>
</group>

Additional Tags

  • <group>: Classifies alert
  • <mitre>: Maps TTPs for threat intelligence
  • <srcip>: Only triggers if source IP matches

Example 3: Match srcip and hostname

The alert will fire only if both the source IP and hostname match the specified values. If either the source IP differs or the hostname does not match, the custom rule will not apply and in such cases, the default alert will be triggered instead. This mechanism allows for more accurate and focused alerting by restricting rule execution to specific hosts and IP addresses linked to potential threats. 

<group name="custom_rule">
  <rule id="100002" level="3">
    <if_sid>5760</if_sid>
    <match>Failed password|Failed keyboard|authentication error</match>
    <srcip>10.9.8.16</srcip>
    <hostname>t-t</hostname>
    <description>Custom rule for SSHD authentication failures.</description>
    <group>authentication_failed,sshd</group>
    <mitre>
      <id>T1110.001</id>
      <id>T1021.004</id>
    </mitre>
  </rule>
</group>

Additional Tags

  • <srcip>: Triggers only if source IP matches
  • <hostname>: Triggers only if hostname matches

Example 4: Adding Multiple Rule ID's in a Custom Rule

To add multiple rule ID's in a custom rule, we give the rule ID's by separating them with a coma inside the <if_sid> tag. For this example I have taken three example rule IDs, they are: 

Logon Failure - Unknown user or bad password - 60122
syslog: User missed the password more than one time - 2502
PAM: User login failed. - 5503

If any of the three rules (60122, 2502, or 5503) trigger, this custom rule will also trigger. We can chage the rule level based on our priority. Below is the example custom rule defination: 

<group name="custom_rule">
  <rule id="100030" level="10">
    <if_sid>60122,2502,5503</if_sid>
    <description>Custom alert for multiple types of failed login attempts</description>
    <group>authentication_failed,login_attempts</group>
    <mitre>
      <id>T1110.001</id>
    </mitre>
  </rule>
</group>
Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Wazuh_Custom_Rule_Creation&oldid=8821"