Hi! hope you’re doing well.
First of all, sorry for the late response. I’m sharing with you an article from our Wazuh Docs that you may find interesting: xml labels used to configure rules <https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#overview> . If the decoder you are using it’s currently parsing the user field, you can do the following: <group name="test,"> <rule id="110001" level="0"> <if_sid>40101</if_sid> <user>JOHN</user> <srcip>XX.XX.XX.XX</srcip> <description>No alert.</description> </rule></group> If you encounter any troubles doing this, please provide me with a log sample to verify the decode process. Regards, Alexis On Tuesday, January 18, 2022 at 9:31:59 PM UTC-3 lautaro....@gmail.com wrote: > Hello how are you? > > I'm new to this, and I don't fully understand the rules. > Predefined rule example: > > <group name="syslog,attacks,"> > <rule id="40101" level="12"> > <if_group>authentication_success</if_group> > <user>$SYS_USERS</user> > <description>System user successfully logged to the > system.</description> > <mitre> > <id>T1078</id> > </mitre> > > <group>invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_$ > > </rule> > > I would like to create an exception, so that it doesn't raise alerts when > events are fired from XX.XX.XX.XX and JHON (user) > > What I try to do: > > <group name="test,"> > <rule id="110001" level="0"> > <if_sid>40101</if_sid> > <match>user JHON</match> > <srcip>XX.XX.XX.XX</srcip> > <description>No alert.</description> > </rule> > </group> > > How do I indicate that it should not alert if both conditions are met? I > am somewhat lost. > Thank you. > > > > Sorry for my bad English. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/ef2b9531-20c3-4cad-aed1-ba97723a6327n%40googlegroups.com.
