Skip to content
This repository was archived by the owner on Oct 7, 2025. It is now read-only.
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 19 additions & 6 deletions roles/debian/wazuh/files/custom_wazuh_rules.xml
Original file line number Diff line number Diff line change
@@ -1,18 +1,31 @@
<!-- Custom rules -->
<group name="web,accesslog">
<rule id="31151" level="10" frequency="200" timeframe="3600" overwrite="yes">
<if_matched_sid>31101</if_matched_sid>
<!-- Disable original 31151 rule -->
<rule id="31151" level="0" overwrite="yes">
<description>Disabled to prevent false positives.</description>
</rule>

<!-- Match HTTP 401 Unauthorized responses using regex -->
<rule id="41101" level="5">
<if_sid>31151</if_sid>
<regex type="pcre2">^\S+\s+-\s+(?!-)\S+\s+\[.*?\]\s+".*?"\s+401\s</regex>
<description>HTTP 401 Unauthorized response</description>
<group>web,accesslog</group>
</rule>

<!-- Correlation rule for multiple 401s -->
<rule id="41151" level="10" frequency="200" timeframe="3600">
<if_matched_sid>41101</if_matched_sid>
<same_source_ip />
<description>Multiple web server 400 error codes</description>
<description>from the same source IP.</description>
<description>Multiple 401 Unauthorized responses from the same source IP</description>
<mitre>
<id>T1595.002</id>
</mitre>
<group>web_scan,recon,pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<group>web_scan,recon</group>
</rule>
</group>

<group name="whitelist,">
<group name="whitelist">
<rule id="100102" level="0">
<if_sid>521</if_sid>
<match>scantem</match>
Expand Down