search

wazuh / wazuh-ruleset

Wazuh - Ruleset
https://wazuh.com
417 stars 204 forks source link

Change alert levels of specific CVEs. #830

Closed michaelvanderbeek closed 3 years ago

michaelvanderbeek commented 3 years ago

|4.1.4-1|Ruleset|standalone all-in-one|Centos|

Hi All,

I was wondering a couple of things. How do you guys handle an CVE that never has an update.

For example,

Received From: (wazuh-test-ubuntu) any->vulnerability-detector Rule: 23506 fired (level 13) -> "CVE-2016-1585 affects apparmor" Portion of the log(s):

Ubuntu logs it as deferred .. since 2016.. so it might never update. But its always triggering email alerts at level 13.

Do you create custom rules to ignore it?

<group name="local,syslog,sshd,">
<rule id="23506" level="5" overwrite="yes">
    <if_sid>23501</if_sid>
    <match>CVE-2016-1585 affects apparmor</match>
    <options>no_full_log</options>
    <field name="vulnerability.severity">Critical</field>
    <description>$(vulnerability.cve) affects $(vulnerability.package.name)</description>
</rule>
</group>

Is this a correct rule definition?

Would that work?

Regards,

Michael

JcabreraC commented 3 years ago

Hello,

Exactly. If you want to mute or lower the level of a rule in a particular case, you would have to create a child rule of the one that is being triggered.

In order to check if your rule is correct, I should have the log that is generating the alert.

For the creation of custom rules, see the following documentation: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

On the other hand, you can test if the rule you have created is correct by using the wazuh-logtest tool in the path /var/ossec/bin. Run the tool and then paste the log to check which rule it matches.

Regards, Juan Cabrera

michaelvanderbeek commented 3 years ago

The problem with the above example I put. Is that ALL level 13 alerts are changed to level 5. I'm not sure how to set the custom rule to only filter one CVE. Not even sure what is the log line to use? Since its coming from the vulnerability detector.

michaelvanderbeek commented 3 years ago

Okay I found out how to do it correctly.

<group name="vulnerability-detector,gdpr_IV_35.7.d,pci_dss_11.2.1,pci_dss_11.2.3,tsc_CC7.1,tsc_CC7.2,">
     <rule id="10002" level="0">
         <if_sid>23501</if_sid>
         <options>no_full_log</options>
         <field name="vulnerability.cve">CVE-2016-1585</field>
         <description>$(vulnerability.cve) has been manually silenced</description>
     </rule>
</group>