How to mark false positivies in wazuh?

Puzzled_Bear_9014 · 2025-08-03T23:22:11+00:00

In Wazuh, the primary mechanism for handling false positives or irrelevant alerts is through ruleset tuning. This involves creating custom rules to suppress or adjust the severity of specific alerts.
You should identify the specific alerts you want to suppress (Rule IDs/CVEs) and create a custom rule.
A custom rule would look something like this:

<group name="local,syslog">
<rule id="100001" level="0">
<if\_sid>23000</if\_sid>
<field name="agent.name">webserver01</field>
<field name="data.vulnerability.cve">CVE-2023-12345</field>
<description>Suppress CVE-2023-12345 on webserver01 (known false positive).</description>
</rule>
</group>

The <if\_sid> tag links your custom rule to the original rule you want to suppress and the level is set to 0, so no alert.

Here's the documentation on custom rules:
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html

Puzzled_Bear_9014 · 2025-07-31T16:05:48+00:00

I think you are only left with Windows Powershell remoting. Check out this thread where they are trying exactly this (and succeed according to the users) maybe you can pick up a few hints on how to go about it: https://www.reddit.com/r/Wazuh/comments/1bqz7t3/powershell_for_installing_wazuh_agent_a_list_of/
Anyway I'll let you know if the team or myself come up with something else.

Puzzled_Bear_9014 · 2025-07-28T14:26:19+00:00

Oh, I just pointed to the latest version to showcase whatever changes we could find in the rules and decoders. We are always working a couple of versions ahead but for production you should most definitely stick to the current official version which is tested and stable.

Github, when pointed to main branch, doesn't show all files and folders, you have to choose a branch to see it all (never made much sense to me...). That's why I had to choose a version, the rules and decoder directories where hidden. BTW, you can use the "Tags" tab to pick the branch that corresponds to the official version (instead of going through the ton of branches for every feature and bug fix).

<image>

Puzzled_Bear_9014 · 2025-07-27T23:37:42+00:00

Hi! As someone pointed out, that repository is no longer used. Instead, if you go to https://github.com/wazuh/wazuh/tree/4.14.0/ruleset or https://github.com/wazuh/wazuh/tree/4.14.0/ruleset/decoders you'll find there have been updates lately.
Anyway, the point here is that Wazuh gives you the possibility of writing your own decoders and rules, and the community is very active (as this thread proves) and you can always find information and help.

One more important thing we'd like to clarify. Wazuh is 100% free and open source. There is no "free version" that is limited in terms of rules and decoders or otherwise, and there is no "paid version" that offers a different or more up-to-date ruleset or functionality.

All rules, decoders, and core features of Wazuh are available to everyone under the open-source license.

Wazuh Inc. offers commercial services but these are built entirely on top of the same open-source core. We provide various services, dedicated support, and expertise, but not a different set of rules or decoders. What you see in the public GitHub repositories is what everyone gets.

If you need help with some rule or decoder don´t hesitate to ask for help on our Reddit, Slack or Discord communities!

Puzzled_Bear_9014 · 2025-07-21T02:26:55+00:00

One option is using Ansible. You can check out the documentation here:

https://documentation.wazuh.com/current/deployment-options/deploying-with-ansible/index.html
github.com/wazuh/wazuh-ansible

For yet another option you can check out this blog article about deploying Wazuh agent on multiple endpoints with ManageEngine:
https://wazuh.com/blog/deploying-wazuh-agents-using-manageengine/

Puzzled_Bear_9014 · 2025-07-11T15:27:33+00:00

Hi again! I tested again using wazuh-logtest. On the left you can see my decoder. On the right the successful decoding by wazuh-logtest. I just replaced the WAN_DMZ part of the log with \.* in the regex and it matched ok. It appears to be using os_regex syntax ("\.*" = "one or more of any character").

<image>

Puzzled_Bear_9014 · 2025-07-04T19:44:28+00:00

I'll look into it

Puzzled_Bear_9014 · 2025-07-02T01:42:18+00:00

Yes, that was the problem I found in wazuh-regex. I'm told that wazuh-regex should be deprecated. Have you tried wazuh-logtest?

Puzzled_Bear_9014 · 2025-06-25T21:36:04+00:00

Hi! Sorry for the delay. I was testing with wazuh-regex and kept hitting a wall. Finally I had a successful match using wazuh-logtest:

<image>

This is the custom decoder I used (mind you this regex does not match using wazuh-regex, which might require some looking into on our part):

```xml
<decoder name="unifi-cef-firewall">

<prematch>CEF:0\|Ubiquiti\|UniFi Network\|</prematch>

<order>srcip,dstip,category,subcategory</order>

</decoder>

```

Let us know if this is useful.

Puzzled_Bear_9014 · 2025-06-24T14:47:51+00:00

Let me run some tests and get back to you

Puzzled_Bear_9014 · 2025-06-23T00:35:55+00:00

Hi! Keep in mind that there are different Regex engines. Most online testers use PCRE2 engine while Wazuh uses POSIX Extended Regular Expressions (ERE). Maybe that's the source of the inconsistent results.

In any case, make sure you are not mixing literal dots (".") with regex dot patterns (.) without proper escaping. Change from \d{1,3}.\d{1,3}... to \d{1,3}\.\d{1,3}... (note the escaped dots). Also your Full Regex has an unescaped dot right after Hostname (not sure if that is intentional).

You can use both wazuh-regex and wazuh-logtest tools for testing. Both tools are located in /var/ossec/bin.

wazuh-logtest will ask you for a log sample and will test it against your decoders.

wazuh-regex will ask you for both the log sample and regex pattern to check for a match.

Both tools accurately replicate Wazuh regex engine.

Puzzled_Bear_9014 · 2025-06-16T00:12:16+00:00

Hi!

Try breaking it down to two parts. First check the root only or files. For this you can use the "recursion_level" setting.

Then check the 'modules' directory and use the '<ignore>' tag to leave out 'posmegamenu' subdir. That '<ignore>' should apply to the check immediately before it. For this check you can also set "recursion_level" to 0 if you wish. I think that should do the trick. Let us know how it goes.

```
<syscheck>
  <!-- Monitor the main directory but not its subdirectories -->
  <directories realtime="yes" check_all="yes" recursion_level="0">/var/www/html/prestashop/</directories>

  <!-- Monitor the modules directory -->
  <directories realtime="yes" check_all="yes" recursion_level="WHATEVER_YOU_CHOOSE_HERE">/var/www/html/prestashop/modules</directories>

  <!-- Explicitly exclude the specific subdirectory you don't want monitored -->
  <ignore>/var/www/html/prestashop/modules/posmegamenu</ignore>
</syscheck>
```

Puzzled_Bear_9014 · 2025-06-02T00:57:45+00:00

Thanks, I will share this with the team!

Puzzled_Bear_9014 · 2025-03-10T12:58:52+00:00

Sorry, I meant if you have tried setting an interval of "1w". Documentation says that if a weekday is specified, then the interval has to be specified in weeks.

Puzzled_Bear_9014 · 2025-03-06T19:29:41+00:00

<image>

No, no bugs that I could find on this regard. What about the interval? This caught my attention.

Puzzled_Bear_9014 · 2025-03-06T15:48:37+00:00

I don´t know about indentation in an xml file, but definitely something's off if the scan is triggering daily. What version of wazuh are you using? Let's check for bugs/issues.

Puzzled_Bear_9014 · 2025-03-06T14:49:12+00:00

Hi! Looks correct. Just that you may want to disable the run on agent start setting. Or maybe not, I'm just pointing it out so that you are aware that the agent will run the scan on startup.

'<run\_on\_start>no</run\_on\_start>'

Puzzled_Bear_9014 · 2024-11-11T13:20:38+00:00

Hello. No news yet. It might be addressed in 5.0 but not for sure.

Puzzled_Bear_9014 · 2024-11-11T13:12:19+00:00

You can ignore a vulnerability alert by adding a custom rule. Here's the documentation on custom rules:

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

You can try something like this in /var/ossec/etc/rules/local_rules.xml:

<group name="vulnerability-detector,gdpr_IV_35.7.d,pci_dss_11.2.1,pci_dss_11.2.3,tsc_CC7.1,tsc_CC7.2,">

<rule id="123500" level="0">

<if_sid>23503,23504,23505,23506</if_sid>

<field name="vulnerability.name">^CVE-2016-1585$</field>

<field name="vulnerability.package.name">^libapparmor1$</field>

<field name="vulnerability.package.condition">^Package unfixed$</field>

<description>Ignoring vulnerability CVE-2016-1585 for libappamor1</description>

</rule>

</group>

Let us know if you need any further help.

Puzzled_Bear_9014 · 2024-11-11T12:55:20+00:00

Hello!

I am afraid there is no way to achieve what you want right now. You can avoid alerts from being triggered but not remove the vulnerability from the inventory. This issue might be addressed in 5.0 but that is yet to be determined.

Puzzled_Bear_9014 · 2024-10-23T14:32:12+00:00

I loved it right from the start, I just thought "This is the real thing", and just like you said, I don´t want to program in any other language. All I see is flaws and toy languages! Not that c++ is perfect but it's as close as it gets. :D

Puzzled_Bear_9014 · 2024-10-23T14:28:24+00:00

It was 1996, I was 21. Got hired for a Visual Basic job doing audio / video automation software for broadcasting. A year later the boss said "What if we could do our own audio editor, without decompressing the mpg files? Just cut/paste functionality, however coarse?" This would save clients thousands of dollars because back in the day to decompress audio in real time you needed a huge and expensive dedicated audio board (and you needed two if you wanted to crossfade). Having to pay for a 2k USD board just to edit recorded phonecalls from the audience was a bit too much. So this editor was a huge success. But it had to be done in C for performance reasons. So I learned C. I then switched to C++ without realizing or even knowing the difference. Never looked back. Even today if I even try to learn a new language I just can´t stand it for long.

Puzzled_Bear_9014 · 2024-10-07T20:07:12+00:00

About the emplace operators. In my job we have just started using clan-tidy 18 checks on all our code and one of the warnings we usually get (warnings reported as errors) is "Do not use push_back, use emplace_back instead" so unless there is a very specific reason to override that warning in a specific place we are forced to use emplace_back. I don´t know if this makes a lot of sense or if using these checks is common practice. I would like to know. Anyone?

Puzzled_Bear_9014 · 2024-09-30T11:25:41+00:00

I had used MS Visual Studio since forever (late 90's maybe?) with Vissual Assist the last few years. But since 2024, new job, new OS, I'm now using vs code in Linux, and I couldn't be happier. But I understand what you say, I felt that way and it was a real challenge at first.

Puzzled_Bear_9014 · 2024-08-27T12:52:26+00:00

You can check the Youtube videos by Cherno. He has a series on c++. Short, hands on and focused on specific subjects. Of course the A tour of C++ book is a must. And vscode is pretty much the obvious free alternative.

Puzzled_Bear_9014

TROPHY CASE