From 8fc365c032475cdaeea0b818c3711fa46eaea3d9 Mon Sep 17 00:00:00 2001
From: Drazen <drazen.szep@codeenigma.com>
Date: Wed, 16 Apr 2025 11:53:12 +0200
Subject: [PATCH 1/3] Wazuh-http-auth-protection

---
 .../wazuh/files/rules/custom_wazuh_rules.xml  | 26 +++++++++++++++++++
 roles/debian/wazuh/tasks/main.yml             | 12 +++++++++
 2 files changed, 38 insertions(+)
 create mode 100644 roles/debian/wazuh/files/rules/custom_wazuh_rules.xml

diff --git a/roles/debian/wazuh/files/rules/custom_wazuh_rules.xml b/roles/debian/wazuh/files/rules/custom_wazuh_rules.xml
new file mode 100644
index 000000000..8b9728ada
--- /dev/null
+++ b/roles/debian/wazuh/files/rules/custom_wazuh_rules.xml
@@ -0,0 +1,26 @@
+<!-- Local rules -->
+<group name="local,">
+  <!-- Rule to detect a single 401 error -->
+  <rule id="100100" level="5">
+    <description>HTTP 401 response code</description>
+    <decoded_as>web-accesslog</decoded_as>
+    <match>" 401 </match>
+  </rule>
+
+  <!-- Frequency rule to detect multiple 401 errors -->
+  <rule id="100101" level="10" frequency="200" timeframe="3600">
+    <if_matched_sid>100100</if_matched_sid>
+    <same_source_ip />
+    <description>Multiple 401 errors from same source IP (possible brute force attempt)</description>
+    <options>no_full_log</options>
+  </rule>
+</group>
+
+<group name="whitelist,">
+  <rule id="100102" level="0">
+    <if_sid>521</if_sid>
+    <match>scantem</match>
+    <description>Whitelist alerts containing 'scantem' in the title.</description>
+    <options>no_full_log</options>
+  </rule>
+</group>
diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml
index a3bf6056b..78a595f16 100644
--- a/roles/debian/wazuh/tasks/main.yml
+++ b/roles/debian/wazuh/tasks/main.yml
@@ -139,6 +139,18 @@
   ignore_errors: true
   changed_when: false
 
+- name: Deploy custom Wazuh local rules
+  ansible.builtin.copy:
+    src: custom_401_rules.xml
+    dest: "{{ wazuh_dir | default('/var/ossec') }}/etc/rules/custom_401_rules.xml"
+    owner: wazuh
+    group: wazuh
+    mode: '0640'
+  notify: restart wazuh-manager
+  tags:
+    - rules
+  when: "'wazuh-manager.service' in wazuh_service.stdout"
+
 - name: Write the password to /var/ossec/etc/authd.pass
   ansible.builtin.copy:
     dest: /var/ossec/etc/authd.pass

From 8a5678eab341293ae6ca70d9004ac83e284314f0 Mon Sep 17 00:00:00 2001
From: Drazen <drazen.szep@codeenigma.com>
Date: Wed, 16 Apr 2025 12:04:12 +0200
Subject: [PATCH 2/3] Wazuh-http-auth-protection-2

---
 roles/debian/wazuh/tasks/main.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml
index 78a595f16..6195e7a06 100644
--- a/roles/debian/wazuh/tasks/main.yml
+++ b/roles/debian/wazuh/tasks/main.yml
@@ -141,8 +141,8 @@
 
 - name: Deploy custom Wazuh local rules
   ansible.builtin.copy:
-    src: custom_401_rules.xml
-    dest: "{{ wazuh_dir | default('/var/ossec') }}/etc/rules/custom_401_rules.xml"
+    src: custom_wazuh_rules.xml
+    dest: "{{ wazuh_dir | default('/var/ossec') }}/etc/rules/custom_wazuh_rules.xml"
     owner: wazuh
     group: wazuh
     mode: '0640'

From b4fec44b067fa9b9f3ef1a428d8d872eeb74338b Mon Sep 17 00:00:00 2001
From: Drazen <drazen.szep@codeenigma.com>
Date: Wed, 16 Apr 2025 14:10:11 +0200
Subject: [PATCH 3/3] Wazuh-http-auth-protection-PR-2.x

---
 roles/debian/wazuh/files/{rules => }/custom_wazuh_rules.xml | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename roles/debian/wazuh/files/{rules => }/custom_wazuh_rules.xml (100%)

diff --git a/roles/debian/wazuh/files/rules/custom_wazuh_rules.xml b/roles/debian/wazuh/files/custom_wazuh_rules.xml
similarity index 100%
rename from roles/debian/wazuh/files/rules/custom_wazuh_rules.xml
rename to roles/debian/wazuh/files/custom_wazuh_rules.xml