Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Variables cannot be added in custom rules file #14509

Open
juliamagan opened this issue Aug 8, 2022 · 0 comments
Open

Variables cannot be added in custom rules file #14509

juliamagan opened this issue Aug 8, 2022 · 0 comments
Assignees
@JcabreraC
Labels
level/task reporter/qa QA Team: Reporting possible bug type/bug Something isn't working

Comments

@juliamagan
Copy link
Member

Wazuh version Component Action type
4.3.6-40318 Rules Error

Description

When we add a variable to the custom rules file and restart, the variable is not loaded and the manager fails to start.

Configuration

<var name="custom">8</var>
<group name="windows,">
  <rule id="60204" level="12" frequency="$custom" timeframe="240" overwrite="yes">
    <if_matched_group>authentication_failed</if_matched_group>
    <same_field>win.eventdata.ipAddress</same_field>
    <options>no_full_log</options>
    <description>Multiple Windows logon failures.</description>
    <mitre>
      <id>T1110</id>
    </mitre>
    <group>authentication_failures,gdpr_IV_32.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_SI.4,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
</group>

Errors/Improvements

Current results

[root@localhost vagrant]# tail -10 /var/ossec/logs/ossec.log 
2022/08/08 11:33:04 wazuh-analysisd[9835] rules.c:271 at Rules_OP_ReadRules(): DEBUG: XML Variables applied.
2022/08/08 11:33:04 wazuh-analysisd[9835] rules.c:245 at Rules_OP_ReadRules(): DEBUG: ruleset/rules/0935-cloudflare-waf_rules.xml is the rulefile
2022/08/08 11:33:04 wazuh-analysisd[9835] rules.c:246 at Rules_OP_ReadRules(): DEBUG: Not modifing the rule path
2022/08/08 11:33:04 wazuh-analysisd[9835] rules.c:264 at Rules_OP_ReadRules(): DEBUG: Read xml for rule.
2022/08/08 11:33:04 wazuh-analysisd[9835] rules.c:271 at Rules_OP_ReadRules(): DEBUG: XML Variables applied.
2022/08/08 11:33:04 wazuh-analysisd[9835] rules.c:245 at Rules_OP_ReadRules(): DEBUG: etc/rules/local_rules.xml is the rulefile
2022/08/08 11:33:04 wazuh-analysisd[9835] rules.c:246 at Rules_OP_ReadRules(): DEBUG: Not modifing the rule path
2022/08/08 11:33:04 wazuh-analysisd[9835] rules.c:264 at Rules_OP_ReadRules(): DEBUG: Read xml for rule.
2022/08/08 11:33:04 wazuh-analysisd[9835] analysisd.c:707 at main(): ERROR: analysisd/rules.c:268 at Rules_OP_ReadRules(): (1227): Error applying XML variables 'etc/rules/local_rules.xml': XMLERR: Unknown variable: '\{\S*\w\}\S*)+'..
2022/08/08 11:33:04 wazuh-analysisd[9835] analysisd.c:716 at main(): CRITICAL: (1220): Error loading the rules: 'etc/rules/local_rules.xml'.

Expected results

Successful restart and variables applied.
@juliamagan juliamagan added the reporter/qa QA Team: Reporting possible bug label Aug 8, 2022
@TomasTurina TomasTurina added the type/bug Something isn't working label Jan 10, 2023
@TomasTurina TomasTurina assigned JcabreraC and unassigned TomasTurina Feb 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JcabreraC JcabreraC

Labels
level/task reporter/qa QA Team: Reporting possible bug type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@vikman90 @TomasTurina @JcabreraC @juliamagan