Skip to content

Commit

Permalink
moved some rules around and re-assigned priorities
Browse files Browse the repository at this point in the history
  • Loading branch information
@0xjmux
0xjmux committed Nov 1, 2022
1 parent e66f414 commit c2bca3c
Showing 1 changed file with 10 additions and 9 deletions.
19 changes: 10 additions & 9 deletions Linux/deployment/wazuh-manager/files/local_rules.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,25 +36,26 @@
<!-- ======================================== -->
<!-- FIM -->

<rule id="100009" level="2">
<rule id="100009" level="0">
<if_group>syscheck</if_group>
<field name="file">/root/.viminfo</field>
<match>modified</match>
<description>viminfo (vim history file) updated</description>
</rule>

<rule id="100010" level="10">
<rule id="100010" level="0">
<if_group>syscheck</if_group>
<match>/etc/resolv.conf</match>
<description>resolv.conf modified, big whoop</description>
</rule>

<rule id="100011" level="10">
<if_group>syscheck</if_group>
<match>modified|added|deleted</match>
<field name="file">^/etc/cron.</field>
<description>File changed inside Cron!</description>
</rule>

<rule id="100011" level="3">
<if_group>syscheck</if_group>
<match>/etc/resolv.conf</match>
<description>resolv.conf modified, big whoop</description>
</rule>

<rule id="100012" level="10">
<if_group>syscheck</if_group>
Expand Down Expand Up @@ -133,9 +134,9 @@
</rule>

<!-- REMOVING ANNOYING ALERTS -->
<rule id="101000" level="2">
<rule id="101000" level="0">
<if_sid>24001</if_sid>
<match>already\srunning</match>
<match>already running</match>
<description>osquery already running</description>
</rule>

Expand Down

0 comments on commit c2bca3c

Please sign in to comment.