Wazuh Custom Rule Creation

From Notes_Wiki
Revision as of 16:26, 5 June 2025 by Sunilvarma (talk | contribs)

Home > Wazuh > Wazuh Custom Rule Creation

Wazuh Custom Rule Creation

In Wazuh, we have two types of rules:

  1. Default rules
  2. Custom rules

Default Rules

Wazuh’s default rules are pre-configured rules included with every Wazuh installation. These can be found on the Wazuh server at:

/var/ossec/ruleset/rules/

These rules are designed to monitor a broad spectrum of security events and log sources, providing a solid foundation for detecting common security threats. They help identify different types of attacks, vulnerabilities, and suspicious activities.

Note: Modifying existing rules is not recommended.

Custom Rules

Custom rules are used in Wazuh to define specific conditions or patterns for how an alert will be triggered.

They allow users to tailor security monitoring to meet specific needs. Unlike default rules, custom rules are created and managed by users and are defined in the file:

/var/ossec/etc/rules/local_rules.xml

Basic Structure of a Custom Rule

<group name="custom_name,">
  <rule id="100010" level="5">
    <if_sid>...</if_sid>
    <match>...</match>
    <description>...</description>
  </rule>
</group>

How to Check If an Alert Is Triggering for a Log

Use the wazuh-logtest binary utility provided by the Wazuh Manager.

Example Event Log

Jun 05 09:48:16 shuffle sshd[6670]: Failed password for shuffle from 10.9.8.16 port 57868 ssh2

Run /var/ossec/bin/wazuh-logtest and paste the above log.

Example Output

**Phase 1: Completed pre-decoding.
    full event: 'Jun 05 09:48:16 shuffle sshd[6670]: Failed password for shuffle from 10.9.8.16 port 57868 ssh2'
    timestamp: 'Jun 05 09:48:16'
    hostname: 'shuffle'
    program_name: 'sshd'

**Phase 2: Completed decoding.
    name: 'sshd'
    parent: 'sshd'
    dstuser: 'shuffle'
    srcip: '10.9.8.16'
    srcport: '57868'

**Phase 3: Completed filtering (rules).
    id: '5760'
    level: '5'
    description: 'sshd: authentication failed.'
    groups: '['syslog', 'sshd', 'authentication_failed']'
    firedtimes: '1'
    gdpr: '['IV_35.7.d', 'IV_32.2']'
    gpg13: '['7.1']'
    hipaa: '['164.312.b']'
    mail: 'False'
    mitre.id: '['T1110.001', 'T1021.004']'
    mitre.tactic: '['Credential Access', 'Lateral Movement']'
    mitre.technique: '['Password Guessing', 'SSH']'
    nist_800_53: '['AU.14', 'AC.7']'
    pci_dss: '['10.2.4', '10.2.5']'
    tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.

This confirms that the event log triggers an alert with:

  • rule.id: 5760
  • rule.level: 5
  • description: sshd: authentication failed
  • groups: syslog, sshd, authentication_failed

Rule Definition That Triggered the Above Log

<group name="syslog,sshd,">
  <rule id="5760" level="5">
    <if_sid>5700,5716</if_sid>
    <match>Failed password|Failed keyboard|authentication error</match>
    <description>sshd: authentication failed.</description>
    <mitre>
      <id>T1110.001</id>
      <id>T1021.004</id>
    </mitre>
    <group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
</group>

Creating Custom Rules

Example 1: Basic Custom Rule

Modify the default alert rule by creating a custom rule in /var/ossec/etc/rules/local_rules.xml: 

<group name="custom_rule,">
  <rule id="100002" level="3">
    <if_sid>5760</if_sid>
    <match>Failed password|Failed keyboard|authentication error</match>
    <description>custom rule for sshd authentication failed.</description>
  </rule>
</group>

Breakdown

  • <group>: Assigns group name to rule
  • <rule>: Defines custom rule ID and level
  • <if_sid>: Applies this rule only if rule ID 5760 is triggered
  • <match>: Matches strings in the event log
  • <description>: Explains the rule’s purpose

This rule is general and doesn't specify tags like IP or hostname, so it will trigger alerts regardless of source or destination.

Example 2: Rule Based on Source IP

<group name="custom_rule">
  <rule id="100002" level="3">
    <if_sid>5760</if_sid>
    <match>Failed password|Failed keyboard|authentication error</match>
    <description>Custom rule for SSHD authentication failures.</description>
    <srcip>10.9.8.16</srcip>
    <group>authentication_failed,sshd</group>
    <mitre>
      <id>T1110.001</id>
      <id>T1021.004</id>
    </mitre>
  </rule>
</group>

Additional Tags

  • <group>: Classifies alert
  • <mitre>: Maps TTPs for threat intelligence
  • <srcip>: Only triggers if source IP matches

Example 3: Rule Based on Source IP and Hostname

<group name="custom_rule">
  <rule id="100002" level="3">
    <if_sid>5760</if_sid>
    <match>Failed password|Failed keyboard|authentication error</match>
    <description>Custom rule for SSHD authentication failures.</description>
    <srcip>10.9.8.16</srcip>
    <hostname>t-t</hostname>
    <group>authentication_failed,sshd</group>
    <mitre>
      <id>T1110.001</id>
      <id>T1021.004</id>
    </mitre>
  </rule>
</group>

Additional Tags

  • <srcip>: Triggers only if source IP matches
  • <hostname>: Triggers only if hostname matches
Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Wazuh_Custom_Rule_Creation&oldid=8745"