Wazuh http auth protection pr 2.x

roles/debian/wazuh/files/custom_wazuh_rules.xml

@@ -0,0 +1,26 @@
+<!-- Local rules -->
+<group name="local,">
+  <!-- Rule to detect a single 401 error -->
+  <rule id="100100" level="5">
+    <description>HTTP 401 response code</description>
+    <decoded_as>web-accesslog</decoded_as>
+    <match>" 401 </match>
+  </rule>
+
+  <!-- Frequency rule to detect multiple 401 errors -->
+  <rule id="100101" level="10" frequency="200" timeframe="3600">
+    <if_matched_sid>100100</if_matched_sid>
+    <same_source_ip />
+    <description>Multiple 401 errors from same source IP (possible brute force attempt)</description>
+    <options>no_full_log</options>
+  </rule>
+</group>
+
+<group name="whitelist,">
+  <rule id="100102" level="0">
+    <if_sid>521</if_sid>
+    <match>scantem</match>
+    <description>Whitelist alerts containing 'scantem' in the title.</description>
+    <options>no_full_log</options>
+  </rule>
+</group>

roles/debian/wazuh/tasks/main.yml

@@ -139,6 +139,18 @@
   ignore_errors: true
   changed_when: false
 
+- name: Deploy custom Wazuh local rules
+  ansible.builtin.copy:
+    src: custom_wazuh_rules.xml
+    dest: "{{ wazuh_dir | default('/var/ossec') }}/etc/rules/custom_wazuh_rules.xml"
+    owner: wazuh
+    group: wazuh
+    mode: '0640'
+  notify: restart wazuh-manager
+  tags:
+    - rules
+  when: "'wazuh-manager.service' in wazuh_service.stdout"
+
 - name: Write the password to /var/ossec/etc/authd.pass
   ansible.builtin.copy:
     dest: /var/ossec/etc/authd.pass