We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rule ID 31152 is only fired on a single SQL injection attempt rule (ID 31103)
<rule id="31152" level="10" frequency="8" timeframe="120"> <if_matched_sid>31103</if_matched_sid> <same_source_ip /> <description>Multiple SQL injection attempts from same </description> <description>source ip.</description> <mitre> <id>T1055</id> </mitre> <group>attack,sql_injection,pci_dss_6.5,pci_dss_11.4,pci_dss_6.5.1,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group> </rule>
But in the ruleset is more than one sqlinjection rule defined. For example:
<rule id="31170" level="6"> <if_sid>31100</if_sid> <url>%2csleep|sysdate()|nslookup%20dns.sqli</url> <description>SQL injection attempt.</description> <group>attack,sqlinjection,pci_dss_6.5,pci_dss_11.4,pci_dss_6.5.1,gdpr_IV_35.7.d,</group> </rule> <rule id="31171" level="6"> <if_sid>31100</if_sid> <url>select%20|insert%20</url> <description>SQL injection attempt.</description> <group>attack,sqlinjection,pci_dss_6.5,pci_dss_11.4,pci_dss_6.5.1,gdpr_IV_35.7.d,</group> </rule>
This will result in some sql injection attempts are not beeing correlated. A solution could be to replace if_matched_sid with if_matched_group:
<if_matched_sid>31103</if_matched_sid> <if_matched_group>sqlinjection</if_matched_group>
Wazuh Version:
/var/ossec/bin/wazuh-control -j info {"error":0,"data":[{"WAZUH_VERSION":"v4.3.7"},{"WAZUH_REVISION":"40320"},{"WAZUH_TYPE":"server"}]}
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Rule ID 31152 is only fired on a single SQL injection attempt rule (ID 31103)
But in the ruleset is more than one sqlinjection rule defined. For example:
This will result in some sql injection attempts are not beeing correlated.
A solution could be to replace if_matched_sid with if_matched_group:
Wazuh Version:
The text was updated successfully, but these errors were encountered: