Closed michaelvanderbeek closed 3 years ago
Hello,
Exactly. If you want to mute or lower the level of a rule in a particular case, you would have to create a child rule of the one that is being triggered.
In order to check if your rule is correct, I should have the log that is generating the alert.
For the creation of custom rules, see the following documentation: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
On the other hand, you can test if the rule you have created is correct by using the wazuh-logtest
tool in the path /var/ossec/bin
. Run the tool and then paste the log to check which rule it matches.
Regards, Juan Cabrera
The problem with the above example I put. Is that ALL level 13 alerts are changed to level 5. I'm not sure how to set the custom rule to only filter one CVE. Not even sure what is the log line to use? Since its coming from the vulnerability detector.
Okay I found out how to do it correctly.
<group name="vulnerability-detector,gdpr_IV_35.7.d,pci_dss_11.2.1,pci_dss_11.2.3,tsc_CC7.1,tsc_CC7.2,">
<rule id="10002" level="0">
<if_sid>23501</if_sid>
<options>no_full_log</options>
<field name="vulnerability.cve">CVE-2016-1585</field>
<description>$(vulnerability.cve) has been manually silenced</description>
</rule>
</group>
|4.1.4-1|Ruleset|standalone all-in-one|Centos|
Hi All,
I was wondering a couple of things. How do you guys handle an CVE that never has an update.
For example,
Received From: (wazuh-test-ubuntu) any->vulnerability-detector Rule: 23506 fired (level 13) -> "CVE-2016-1585 affects apparmor" Portion of the log(s):
Ubuntu logs it as deferred .. since 2016.. so it might never update. But its always triggering email alerts at level 13.
Do you create custom rules to ignore it?
Is this a correct rule definition?
Would that work?
Regards,
Michael