adding custom rules/decoders files
This commit is contained in:
root
parent
5e8380934e
commit
87cd7c214f
@ -0,0 +1,25 @@
|
|||||||
|
<!-- Local Decoders -->
|
||||||
|
|
||||||
|
<!-- Modify it at your will. -->
|
||||||
|
|
||||||
|
<!--
|
||||||
|
- Allowed static fields:
|
||||||
|
- location - where the log came from (only on FTS)
|
||||||
|
- srcuser - extracts the source username
|
||||||
|
- dstuser - extracts the destination (target) username
|
||||||
|
- user - an alias to dstuser (only one of the two can be used)
|
||||||
|
- srcip - source ip
|
||||||
|
- dstip - dst ip
|
||||||
|
- srcport - source port
|
||||||
|
- dstport - destination port
|
||||||
|
- protocol - protocol
|
||||||
|
- id - event id
|
||||||
|
- url - url of the event
|
||||||
|
- action - event action (deny, drop, accept, etc)
|
||||||
|
- status - event status (success, failure, etc)
|
||||||
|
- extra_data - Any extra data
|
||||||
|
-->
|
||||||
|
|
||||||
|
<decoder name="sample_custom_decoder">
|
||||||
|
<program_name>sample_custom_decoder</program_name>
|
||||||
|
</decoder>
|
||||||
@ -0,0 +1,18 @@
|
|||||||
|
<!-- Local rules -->
|
||||||
|
|
||||||
|
<!-- Modify it at your will. -->
|
||||||
|
|
||||||
|
<!-- Example -->
|
||||||
|
<group name="local,syslog,sshd,">
|
||||||
|
|
||||||
|
<!--
|
||||||
|
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
|
||||||
|
-->
|
||||||
|
<rule id="200001" level="5">
|
||||||
|
<if_sid>5716</if_sid>
|
||||||
|
<srcip>1.1.1.1</srcip>
|
||||||
|
<description>sshd: authentication failed from IP 1.1.1.1.</description>
|
||||||
|
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
|
||||||
|
</rule>
|
||||||
|
|
||||||
|
</group>
|
||||||
@ -167,6 +167,9 @@ wazuh_manager_config:
|
|||||||
executable: 'route-null.cmd'
|
executable: 'route-null.cmd'
|
||||||
expect: 'srcip'
|
expect: 'srcip'
|
||||||
timeout_allowed: 'yes'
|
timeout_allowed: 'yes'
|
||||||
|
ruleset:
|
||||||
|
rules_path: '/etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-manager/custom_ruleset/rules/'
|
||||||
|
decoders_path: '/etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-manager/custom_ruleset/decoders/'
|
||||||
rule_exclude:
|
rule_exclude:
|
||||||
- '0215-policy_rules.xml'
|
- '0215-policy_rules.xml'
|
||||||
active_responses:
|
active_responses:
|
||||||
|
|||||||
@ -96,6 +96,18 @@
|
|||||||
- config
|
- config
|
||||||
- rules
|
- rules
|
||||||
|
|
||||||
|
- name: Adding local rules files
|
||||||
|
copy: src="{{ wazuh_manager_config.ruleset.rules_path }}"
|
||||||
|
dest=/var/ossec/etc/rules/
|
||||||
|
owner=root
|
||||||
|
group=ossec
|
||||||
|
mode=0640
|
||||||
|
notify: restart wazuh-manager
|
||||||
|
tags:
|
||||||
|
- init
|
||||||
|
- config
|
||||||
|
- rules
|
||||||
|
|
||||||
- name: Installing the local_decoder.xml
|
- name: Installing the local_decoder.xml
|
||||||
template: src=var-ossec-rules-local_decoder.xml.j2
|
template: src=var-ossec-rules-local_decoder.xml.j2
|
||||||
dest=/var/ossec/etc/decoders/local_decoder.xml
|
dest=/var/ossec/etc/decoders/local_decoder.xml
|
||||||
@ -108,6 +120,18 @@
|
|||||||
- config
|
- config
|
||||||
- rules
|
- rules
|
||||||
|
|
||||||
|
- name: Adding local decoders files
|
||||||
|
copy: src="{{ wazuh_manager_config.ruleset.decoders_path }}"
|
||||||
|
dest=/var/ossec/etc/decoders/
|
||||||
|
owner=root
|
||||||
|
group=ossec
|
||||||
|
mode=0640
|
||||||
|
notify: restart wazuh-manager
|
||||||
|
tags:
|
||||||
|
- init
|
||||||
|
- config
|
||||||
|
- rules
|
||||||
|
|
||||||
- name: Configure the shared-agent.conf
|
- name: Configure the shared-agent.conf
|
||||||
template:
|
template:
|
||||||
src: var-ossec-etc-shared-agent.conf.j2
|
src: var-ossec-etc-shared-agent.conf.j2
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user