Skip to content

wazuh/wazuh-ruleset

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1,270 Commits

decoders

decoders

 
 

lists

lists

 
 

rootchecks

rootchecks

 
 

rules

rules

 
 

sca

sca

 
 

scap_content

scap_content

 
 

tools

tools

 
 

CHANGELOG.md

CHANGELOG.md

 
 

README.md

README.md

 
 

VERSION

VERSION

 
 

rules_reference.md

rules_reference.md

 
 

update_ruleset

update_ruleset

 
 

Repository files navigation

Wazuh Ruleset

Slack Email Documentation Documentation

Wazuh ruleset is used to detect attacks, intrusions, software misuse, configuration problems, application errors, malware, rootkits, system anomalies or security policy violations.

The ruleset includes compliance mapping with PCI DSS v3.1 and CIS.

Installation

Directory structure

├── wazuh-ruleset
│ ├── decoders            # OSSEC decoders created/updated by Wazuh
│ ├── rules               # OSSEC rules created/updated by Wazuh
│ ├── rootchecks          # OSSEC rootchecks created/updated by Wazuh
│ ├── scap_content        # OVAL, XCCDF, DS created/updated by Wazuh
│ ├── lists               # CDB lists created/updated by Wazuh
|
│ ├── tools
|
│ ├── README.md
│ ├── VERSION
│ ├── update_ruleset.py   # Install/update ruleset

Full documentation

Full documentation at documentation.wazuh.com

Branches

  • stable branch on correspond to the last OSSEC Ruleset stable version.
  • master branch contains the latest code, be aware of possible bugs on this branch.
  • development branch includes all the new features we are adding and testing.

Contribute

If you have created new rules, decoders or rootchecks and you would like to contribute to our repository, please fork our Github repository and submit a pull request. To make a pull request for new rules and decoders, follow these instructions:

  1. If your rules and decoders are related to existent ones in the ruleset, you should add them at the end of the corresponding file. If they are made for a new application or device that Wazuh does not currently support, you should create a new XML following the title format. For example, if the last XML file is 0620-last-xml_rules.xml, the next one should be named 0625-new_integration.xml. Please, make sure your rules do not use an existent rule id.

  2. Make sure to create your test.ini file. You may find examples under the wazuh/wazuh-ruleset/tools/rules-testing/tests folder. Then add it to the repository along with the rest of the tests.

  3. Create the pull request

If you are not familiar with Github, you can also share them through our users mailing list, to which you can subscribe by sending an email to wazuh+subscribe@googlegroups.com. As well do not hesitate to request new rules or rootchecks that you would like to see running in Wazuh and our team will do our best to make it happen.

Web references

About

Wazuh - Ruleset

wazuh.com

Topics

security elasticsearch log-analysis monitoring incident-response ids intrusion-detection pci-dss compliance security-hardening loganalyzer vulnerability-detection ossec openscap wazuh policy-monitoring security-awareness file-integrity-management

Resources

Readme
Activity
Custom properties

Stars

404 stars

Watchers

75 watching

Forks

201 forks
Report repository

Releases 69

Wazuh Ruleset v3.13.6 Latest
Sep 19, 2022
+ 68 releases

Packages

No packages published

Contributors 83

+ 69 contributors

Languages