Wazuh-dbd does not support custom types in rules

[juliancnn]

Wazuh version	Component	Install type	Install method	Platform
4.1 >=	Wazuh DBD	Manager	Sources with flag DATABASE=<mysql/pgsql>	Linux

Description

Since Wazuh v4.1, it is possible to specify different types of regex (PCRE2, OSRegex or OSMatch) in rules and decoders (#6480).
On the other hand, there is the possibility of building wazuh with support for inserting alerts into a sql-like database.
This is done through the daemon wazuh-dbd (ossec-dbd). At the moment, this daemon does not start if the rules or decoders have specified a regex type that is not the default one. The latest versions of wazuh use this functionality in the default rules, which causes the daemon to not start.

Use case

The Wazuh manager is built and configured to send alerts to a database.

Steps to reproduce (using MySQL)

1. Build Wazuh with the flag DATABASE=<mysql/pgsql> and install.

make deps && make TARGET=server DATABASE=<mysql/pgsql>
./install.sh

2. Configure database:

# mysql -u root -p

mysql> CREATE DATABASE Alerts_DB;
Query OK, 0 rows affected (0.00 sec)

mysql> CREATE USER 'MySQLadmin'@'<MANAGER_IP>' IDENTIFIED BY 'secret1234';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on Alerts_DB.* to 'MySQLadmin'@'<MANAGER_IP>';
Query OK, 0 rows affected (0.00 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

mysql> quit;

3. Import the schema

mysql -u root -p Alerts_DB < src/os_dbd/mysql.schema

4. Add the following configuration to the ossec.conf file

<database_output>
  <hostname>x.x.x.x</hostname>
  <username>MySQLadmin</username>
  <password>secret1234</password>
  <database>Alerts_DB</database>
  <type>mysql</type>
</database_output>

5. Launch Wazuh-dbd

/var/ossec/bin/wazuh-dbd -fd      

Actual result

...
2022/06/29 16:19:18 wazuh-dbd[51799] rules_op.c:1152 at OS_ReadXMLRules(): ERROR: (1450): Syntax error on regex: 'Set-.+VirtualDirectory.+?Url.+\<\w+.*\>.*?\<\/\w+\>.+?VirtualDirectory': 6.
2022/06/29 16:19:18 wazuh-dbd[51799] rules.c:228 at OS_InsertRulesDB(): ERROR: (1220): Error loading the rules: 'ruleset/rules/0910-ms-exchange-proxylogon_rules.xml'.
2022/06/29 16:19:18 wazuh-dbd[51799] main.c:256 at main(): CRITICAL: (1202): Configuration error at 'etc/ossec.conf'.

Expected result

Starts normally and inserts alerts into the database

[pereyra-m]

Commenting this section seems a workaround for now
#17986 (comment)

[AdmiraalA]

Still present in 4.5.0