Difference between revisions of "Wazuh Custom Rule Creation"

From Notes_Wiki
Line 1: Line 1:
[[Main Page | Home]] > [[Wazuh]] > [[Wazuh Custom Rule Creation]]
[[Main Page | Home]] > [[Wazuh]] > [[Wazuh Custom Rule Creation]]


= Custom Rule Creation in Wazuh =
= Wazuh Custom Rule Creation =


In Wazuh, we can add custom rules on the Wazuh Manager node to trigger alerts based on specific conditions like custom rule ID, rule level, etc.
In Wazuh, we have two types of rules:
# Default rules
# Custom rules


The custom rule file path is:
== Default Rules ==
<code>/var/ossec/etc/rules/local_rules.xml</code> 
Custom rule IDs should be above <code>100000</code>.


=== Basic Structure for a Custom Rule ===
Wazuh’s default rules are pre-configured rules included with every Wazuh installation. These can be found on the Wazuh server at:


<syntaxhighlight lang="xml">
<code>/var/ossec/ruleset/rules/</code>
 
These rules are designed to monitor a broad spectrum of security events and log sources, providing a solid foundation for detecting common security threats. They help identify different types of attacks, vulnerabilities, and suspicious activities.
 
'''Note:''' Modifying existing rules is not recommended.
 
== Custom Rules ==
 
Custom rules are used in Wazuh to define specific conditions or patterns for how an alert will be triggered.
 
They allow users to tailor security monitoring to meet specific needs. Unlike default rules, custom rules are created and managed by users and are defined in the file:
 
<code>/var/ossec/etc/rules/local_rules.xml</code>
 
=== Basic Structure of a Custom Rule ===
 
<pre>
<group name="custom_name,">
<group name="custom_name,">
   <rule id="100010" level="5">
   <rule id="100010" level="5">
Line 19: Line 35:
   </rule>
   </rule>
</group>
</group>
</syntaxhighlight>
</pre>
 
== How to Check If an Alert Is Triggering for a Log ==


=== Testing Events with wazuh-logtest ===
Use the <code>wazuh-logtest</code> binary utility provided by the Wazuh Manager.


First, check if the event generated by the endpoint agent can trigger an alert. 
=== Example Event Log ===
Use the existing <code>wazuh-logtest</code> binary on the Wazuh Manager node: 
 
<code>/var/ossec/bin/wazuh-logtest</code>
<code>Jun 05 09:48:16 shuffle sshd[6670]: Failed password for shuffle from 10.9.8.16 port 57868 ssh2</code>
 
Run <code>/var/ossec/bin/wazuh-logtest</code> and paste the above log.
 
=== Example Output ===


Paste the event log into the tool after running it. 
'''Example log:'''
<pre>
<pre>
Jun 05 09:48:16 shuffle sshd[6670]: Failed password for shuffle from 10.9.8.16 port 57868 ssh2
**Phase 1: Completed pre-decoding.
    full event: 'Jun 05 09:48:16 shuffle sshd[6670]: Failed password for shuffle from 10.9.8.16 port 57868 ssh2'
    timestamp: 'Jun 05 09:48:16'
    hostname: 'shuffle'
    program_name: 'sshd'
 
**Phase 2: Completed decoding.
    name: 'sshd'
    parent: 'sshd'
    dstuser: 'shuffle'
    srcip: '10.9.8.16'
    srcport: '57868'
 
**Phase 3: Completed filtering (rules).
    id: '5760'
    level: '5'
    description: 'sshd: authentication failed.'
    groups: '['syslog', 'sshd', 'authentication_failed']'
    firedtimes: '1'
    gdpr: '['IV_35.7.d', 'IV_32.2']'
    gpg13: '['7.1']'
    hipaa: '['164.312.b']'
    mail: 'False'
    mitre.id: '['T1110.001', 'T1021.004']'
    mitre.tactic: '['Credential Access', 'Lateral Movement']'
    mitre.technique: '['Password Guessing', 'SSH']'
    nist_800_53: '['AU.14', 'AC.7']'
    pci_dss: '['10.2.4', '10.2.5']'
    tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
</pre>
</pre>


== Creating a Custom Rule ==
This confirms that the event log triggers an alert with:
* rule.id: 5760
* rule.level: 5
* description: sshd: authentication failed
* groups: syslog, sshd, authentication_failed
 
=== Rule Definition That Triggered the Above Log ===


=== Step 1: Edit the Custom Rule File ===
Open the local rules file on the Wazuh Manager node using:
<pre>
<pre>
sudo nano /var/ossec/etc/rules/local_rules.xml
<group name="syslog,sshd,">
  <rule id="5760" level="5">
    <if_sid>5700,5716</if_sid>
    <match>Failed password|Failed keyboard|authentication error</match>
    <description>sshd: authentication failed.</description>
    <mitre>
      <id>T1110.001</id>
      <id>T1021.004</id>
    </mitre>
    <group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
</group>
</pre>
</pre>


=== Step 2: Add the Custom Rule ===
== Creating Custom Rules ==


Below is an example custom rule for SSHD authentication failures:
=== Example 1: Basic Custom Rule ===


<syntaxhighlight lang="xml">
Modify the default alert rule by creating a custom rule in <code>/var/ossec/etc/rules/local_rules.xml</code>:
 
<pre>
<group name="custom_rule,">
<group name="custom_rule,">
   <rule id="100001" level="3">
   <rule id="100002" level="3">
     <if_sid>5760</if_sid>
     <if_sid>5760</if_sid>
     <match>Failed password|Failed keyboard|authentication error</match>
     <match>Failed password|Failed keyboard|authentication error</match>
     <description>custom rule for sshd authentication failed.</description>
     <description>custom rule for sshd authentication failed.</description>
  </rule>
</group>
</pre>
==== Breakdown ====
* <code>&lt;group&gt;</code>: Assigns group name to rule
* <code>&lt;rule&gt;</code>: Defines custom rule ID and level
* <code>&lt;if_sid&gt;</code>: Applies this rule only if rule ID 5760 is triggered
* <code>&lt;match&gt;</code>: Matches strings in the event log
* <code>&lt;description&gt;</code>: Explains the rule’s purpose
This rule is general and doesn't specify tags like IP or hostname, so it will trigger alerts regardless of source or destination.
=== Example 2: Rule Based on Source IP ===
<pre>
<group name="custom_rule">
  <rule id="100002" level="3">
    <if_sid>5760</if_sid>
    <match>Failed password|Failed keyboard|authentication error</match>
    <description>Custom rule for SSHD authentication failures.</description>
    <srcip>10.9.8.16</srcip>
    <group>authentication_failed,sshd</group>
     <mitre>
     <mitre>
       <id>T1110.001</id>
       <id>T1110.001</id>
       <id>T1021.004</id>
       <id>T1021.004</id>
     </mitre>
     </mitre>
    <group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
   </rule>
   </rule>
</group>
</group>
</syntaxhighlight>
</pre>
 
''Note: We can add or remove fields as required.''
 
=== Step 3: Validate the Rule ===


After saving the file, validate if the rule matches the event using the <code>wazuh-logtest</code> tool again.
==== Additional Tags ====
* <code>&lt;group&gt;</code>: Classifies alert
* <code>&lt;mitre&gt;</code>: Maps TTPs for threat intelligence
* <code>&lt;srcip&gt;</code>: Only triggers if source IP matches


=== Step 4: Restart Wazuh Manager ===
=== Example 3: Rule Based on Source IP and Hostname ===


Apply the changes by restarting the Wazuh Manager service:
<pre>
<pre>
sudo systemctl restart wazuh-manager
<group name="custom_rule">
  <rule id="100002" level="3">
    <if_sid>5760</if_sid>
    <match>Failed password|Failed keyboard|authentication error</match>
    <description>Custom rule for SSHD authentication failures.</description>
    <srcip>10.9.8.16</srcip>
    <hostname>t-t</hostname>
    <group>authentication_failed,sshd</group>
    <mitre>
      <id>T1110.001</id>
      <id>T1021.004</id>
    </mitre>
  </rule>
</group>
</pre>
</pre>


Once restarted, the custom rule will be in effect.
==== Additional Tags ====
* <code>&lt;srcip&gt;</code>: Triggers only if source IP matches
* <code>&lt;hostname&gt;</code>: Triggers only if hostname matches

Revision as of 16:26, 5 June 2025

Home > Wazuh > Wazuh Custom Rule Creation

Wazuh Custom Rule Creation

In Wazuh, we have two types of rules:

  1. Default rules
  2. Custom rules

Default Rules

Wazuh’s default rules are pre-configured rules included with every Wazuh installation. These can be found on the Wazuh server at:

/var/ossec/ruleset/rules/

These rules are designed to monitor a broad spectrum of security events and log sources, providing a solid foundation for detecting common security threats. They help identify different types of attacks, vulnerabilities, and suspicious activities.

Note: Modifying existing rules is not recommended.

Custom Rules

Custom rules are used in Wazuh to define specific conditions or patterns for how an alert will be triggered.

They allow users to tailor security monitoring to meet specific needs. Unlike default rules, custom rules are created and managed by users and are defined in the file:

/var/ossec/etc/rules/local_rules.xml

Basic Structure of a Custom Rule

<group name="custom_name,">
  <rule id="100010" level="5">
    <if_sid>...</if_sid>
    <match>...</match>
    <description>...</description>
  </rule>
</group>

How to Check If an Alert Is Triggering for a Log

Use the wazuh-logtest binary utility provided by the Wazuh Manager.

Example Event Log

Jun 05 09:48:16 shuffle sshd[6670]: Failed password for shuffle from 10.9.8.16 port 57868 ssh2

Run /var/ossec/bin/wazuh-logtest and paste the above log.

Example Output

**Phase 1: Completed pre-decoding.
    full event: 'Jun 05 09:48:16 shuffle sshd[6670]: Failed password for shuffle from 10.9.8.16 port 57868 ssh2'
    timestamp: 'Jun 05 09:48:16'
    hostname: 'shuffle'
    program_name: 'sshd'

**Phase 2: Completed decoding.
    name: 'sshd'
    parent: 'sshd'
    dstuser: 'shuffle'
    srcip: '10.9.8.16'
    srcport: '57868'

**Phase 3: Completed filtering (rules).
    id: '5760'
    level: '5'
    description: 'sshd: authentication failed.'
    groups: '['syslog', 'sshd', 'authentication_failed']'
    firedtimes: '1'
    gdpr: '['IV_35.7.d', 'IV_32.2']'
    gpg13: '['7.1']'
    hipaa: '['164.312.b']'
    mail: 'False'
    mitre.id: '['T1110.001', 'T1021.004']'
    mitre.tactic: '['Credential Access', 'Lateral Movement']'
    mitre.technique: '['Password Guessing', 'SSH']'
    nist_800_53: '['AU.14', 'AC.7']'
    pci_dss: '['10.2.4', '10.2.5']'
    tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.

This confirms that the event log triggers an alert with:

  • rule.id: 5760
  • rule.level: 5
  • description: sshd: authentication failed
  • groups: syslog, sshd, authentication_failed

Rule Definition That Triggered the Above Log

<group name="syslog,sshd,">
  <rule id="5760" level="5">
    <if_sid>5700,5716</if_sid>
    <match>Failed password|Failed keyboard|authentication error</match>
    <description>sshd: authentication failed.</description>
    <mitre>
      <id>T1110.001</id>
      <id>T1021.004</id>
    </mitre>
    <group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
</group>

Creating Custom Rules

Example 1: Basic Custom Rule

Modify the default alert rule by creating a custom rule in /var/ossec/etc/rules/local_rules.xml: 

<group name="custom_rule,">
  <rule id="100002" level="3">
    <if_sid>5760</if_sid>
    <match>Failed password|Failed keyboard|authentication error</match>
    <description>custom rule for sshd authentication failed.</description>
  </rule>
</group>

Breakdown

  • <group>: Assigns group name to rule
  • <rule>: Defines custom rule ID and level
  • <if_sid>: Applies this rule only if rule ID 5760 is triggered
  • <match>: Matches strings in the event log
  • <description>: Explains the rule’s purpose

This rule is general and doesn't specify tags like IP or hostname, so it will trigger alerts regardless of source or destination.

Example 2: Rule Based on Source IP

<group name="custom_rule">
  <rule id="100002" level="3">
    <if_sid>5760</if_sid>
    <match>Failed password|Failed keyboard|authentication error</match>
    <description>Custom rule for SSHD authentication failures.</description>
    <srcip>10.9.8.16</srcip>
    <group>authentication_failed,sshd</group>
    <mitre>
      <id>T1110.001</id>
      <id>T1021.004</id>
    </mitre>
  </rule>
</group>

Additional Tags

  • <group>: Classifies alert
  • <mitre>: Maps TTPs for threat intelligence
  • <srcip>: Only triggers if source IP matches

Example 3: Rule Based on Source IP and Hostname

<group name="custom_rule">
  <rule id="100002" level="3">
    <if_sid>5760</if_sid>
    <match>Failed password|Failed keyboard|authentication error</match>
    <description>Custom rule for SSHD authentication failures.</description>
    <srcip>10.9.8.16</srcip>
    <hostname>t-t</hostname>
    <group>authentication_failed,sshd</group>
    <mitre>
      <id>T1110.001</id>
      <id>T1021.004</id>
    </mitre>
  </rule>
</group>

Additional Tags

  • <srcip>: Triggers only if source IP matches
  • <hostname>: Triggers only if hostname matches
Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Wazuh_Custom_Rule_Creation&oldid=8745"