jakewarren/NOTES.md

## NOTES.md

      
    Raw
  

              NOTES.md
            
          
    Installation

Installation Documentation
CentOS 7

rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF


yum install wazuh-manager
Ubuntu

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update
apt-get install wazuh-manager
vim configuration

helpful vim configuation snippets
" automatically test the rules when saving them 
autocmd BufWritePost /var/ossec/etc/rules/local_rules.xml !echo 'Mar  8 22:39:13 ip-10-0-0-10 sshd[2742]: Accepted publickey for root from 73.189.131.56 port 57516' | /var/ossec/bin/wazuh-logtest

" add syntax higlighting to the ossec configuation
autocmd BufRead /var/ossec/etc/ossec.conf set filetype=xml
Configuration

Reference: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/index.html
add email alerts to the config file:
vim /var/ossec/etc/ossec.conf
<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>yes</email_notification>
    <smtp_server>/usr/sbin/sendmail -t</smtp_server>
    <email_from>wazuh@host</email_from>
    <email_to>test@example.com</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
  </global>

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>7</email_alert_level>
  </alerts>
Re-configure the netstat command for more actionable alerts
vim /var/ossec/etc/ossec.conf 
  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -plnt | awk '$4 !~ /127\.0\.0\.(1|53)/ {print ;}' | grep -v "0.0.0.0:55000" | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == /' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
    <alias>netstat listening ports</alias>
    <frequency>3600</frequency>
  </localfile>
Enable vulnerability scanning

Reference: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/running-vu-scan.html

Reference: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/vuln-detector.html
allow an OS such as Linux Mint or Alma - https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/allow-os.html
vim /var/ossec/etc/ossec.conf

 ensure the syscollector module is enabled
 enable the vulnerability collector

systemctl restart wazuh-manager
tail -f /var/ossec/logs/ossec.log # monitor the logs for any issues
Rule configuration

wazuh_auditd.xml contains rules to alert on auditd alerts

wazuh_local_rules.xml contains rules to tune noisy alerts. ℹ️ these tuning rules are meant to be applied as needed, not applied by default.
Rule ID Ranges


ID range
Comment


100000-199999
Contains tuning rules that I believe are appropriate for all systems.


200000-299999
Contains custom auditd rules.


300000-399999
Contains placeholder tuning rules that are meant to be applied as needed.


## wazuh_auditd.xml
<group name="local,audit,">


    <!-- type=SYSCALL msg=audit(1611524949.832:4392): arch=c000003e syscall=188 success=yes exit=0 a0=55c3831459a0 a1=7fb56242db8f a2=55c383513170 a3=1c items=1 ppid=26276 pid=29339 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=131 comm="vim" exe="/usr/bin/vim.basic" key="pam" -->
    <rule id="200001" level="13">
        <if_sid>80700</if_sid>
        <field name="audit.key">pam</field>
        <field name="audit.type">SYSCALL</field>
        <description>Audit: PAM modification: $(audit.exe) with loginuid user $(audit.auid)</description>
    </rule>

    <!-- type=SYSCALL msg=audit(1611600093.916:7559948): arch=c000003e syscall=90 success=yes exit=0 a0=aaf3c0 a1=8180 a2=7ffc9c5de0c0 a3=7ffc9c5ddee0 items=1 ppid=9657 pid=15162 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=123783 comm="vim" exe="/usr/bin/vim" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="sshd" type=PATH msg=audit(1611600093.916:7559948): item=0 name="/etc/ssh/sshd_config" inode=100990242 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 -->
    <rule id="200002" level="10">
        <if_sid>80700</if_sid>
        <field name="audit.key">sshd</field>
        <field name="audit.type">SYSCALL</field>
        <description>Audit: SSHD modification: $(audit.exe) with loginuid user $(audit.auid)</description>
    </rule>

    <!-- type=SYSCALL msg=audit(1611524694.472:4160): arch=c000003e syscall=59 success=yes exit=0 a0=1920ba8 a1=15a9748 a2=18f0008 a3=598 items=2 ppid=26276 pid=28922 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=131 comm="curl" exe="/usr/bin/curl" key="susp_activity" -->
    <rule id="200003" level="7">
        <if_sid>80700</if_sid>
        <field name="audit.key">susp_activity</field>
        <field name="audit.type">SYSCALL</field>
        <description>Audit: suspicious activity: $(audit.exe) with loginuid user $(audit.auid)</description>
    </rule>

    <!-- type=SYSCALL msg=audit(1611601081.635:7560263): arch=c000003e syscall=59 success=yes exit=0 a0=1c8f300 a1=1d34490 a2=1cb1170 a3=7ffd703dfd70 items=2 ppid=9657 pid=15556 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=123783 comm="tcpdump" exe="/usr/sbin/tcpdump" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="sbin_susp" type=EXECVE msg=audit(1611601081.635:7560263): argc=2 a0="tcpdump" a1="-h" type=PATH msg=audit(1611601081.635:7560263): item=0 name="/sbin/tcpdump" inode=68168567 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:netutils_exec_t:s0 objtype=NORMAL type=PATH msg=audit(1611601081.635:7560263): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=67173377 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL -->
    <rule id="200004" level="10">
        <if_sid>80700</if_sid>
        <field name="audit.key">sbin_susp</field>
        <field name="audit.type">SYSCALL</field>
        <description>Audit: suspicious sbin activity: $(audit.exe) with loginuid user $(audit.auid)</description>
    </rule>

    <rule id="200005" level="7">
        <if_sid>80700</if_sid>
        <field name="audit.key">actions</field>
        <field name="audit.type">SYSCALL</field>
        <description>Audit: modification to sudoers: $(audit.exe) with loginuid user $(audit.auid)</description>
    </rule>

    <rule id="200006" level="7">
        <if_sid>80700</if_sid>
        <field name="audit.key">init</field>
        <field name="audit.type">SYSCALL</field>
        <description>Audit: modification to init: $(audit.exe) with loginuid user $(audit.auid)</description>
    </rule>

    <!-- type=SYSCALL msg=audit(1611600919.597:7560209): arch=c000003e syscall=188 success=yes exit=0 a0=16873c0 a1=7f1c95c86ddf a2=1888700 a3=1c items=1 ppid=9657 pid=15542 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=123783 comm="vim" exe="/usr/bin/vim" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="systemwide_preloads" type=PATH msg=audit(1611600919.597:7560209): item=0 name="/etc/ld.so.preload" inode=33556406 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:ld_so_cache_t:s0 objtype=NORMAL -->
    <rule id="200007" level="10">
        <if_sid>80700</if_sid>
        <field name="audit.key">systemwide_preloads</field>
        <field name="audit.type">SYSCALL</field>
        <description>Audit: modification to LDPRELOAD: $(audit.exe) with loginuid user $(audit.auid)</description>
    </rule>

    <!-- type=SYSCALL msg=audit(1611596313.820:7502004): arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=1d32890 a2=90800 a3=0 items=1 ppid=9657 pid=10910 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=123783 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="power_abuse" type=PATH msg=audit(1611596313.820:7502004): item=0 name="/home/" inode=33554618 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:home_root_t:s0 -->
    <rule id="200008" level="13">
        <if_sid>80700</if_sid>
        <field name="audit.key">power_abuse</field>
        <field name="audit.type">SYSCALL</field>
        <field negate="yes" name="audit.exe">/usr/bin/bash</field>
        <description>Audit: possible root power abuse: $(audit.exe) with loginuid user $(audit.auid)</description>
    </rule>

     <rule id="200009" level="0">
        <if_sid>200003</if_sid>
        <field name="audit.exe">/usr/bin/ssh|/usr/bin/curl</field>
        <description>don't alert on suspicious activity for certain whitelisted processes</description>
    </rule>


    <rule id="200010" level="7">
        <if_sid>80700</if_sid>
        <field name="audit.key">rootkey</field>
        <field name="audit.type">SYSCALL</field>
        <description>Audit: modification to /root/.ssh: $(audit.exe) with loginuid user $(audit.auid)</description>
    </rule>

    <rule id="200011" level="7">
        <if_sid>80700</if_sid>
        <field name="audit.key">mail</field>
        <field name="audit.type">SYSCALL</field>
        <description>Audit: modification to mail config: $(audit.exe) with loginuid user $(audit.auid)</description>
    </rule>

    <rule id="200012" level="7">
        <if_sid>80700</if_sid>
        <field name="audit.key">pkexec</field>
        <field name="audit.type">SYSCALL</field>
        <description>Audit: pkexec invocation (possible privilege escalation CVE-2021-4034): $(audit.exe) with loginuid user $(audit.auid)</description>
    </rule>

</group>

## wazuh_local_rules.xml
<group name="local,syslog,sshd,">

    <!-- ignore docker rootcheck alerts -->
    <rule id="100001" level="0">
        <if_sid>510</if_sid>
        <match>/var/lib/docker</match>
        <description>ignore docker rootcheck alerts</description>
    </rule>

    <rule id="100002" level="3">
        <if_sid>502,1002,1003</if_sid>
        <options>no_email_alert</options>
        <description>turn off email alerts for unknown problems and large syslog alerts</description>
    </rule>

    <rule id="100003" level="0">
        <if_sid>2832,2833,2834</if_sid>
        <description>decreased level on crontab rules</description>
    </rule>


    <rule id="300002" level="3">
        <if_sid>550</if_sid>
        <description>change level of syscheck alert</description>
    </rule>

    <rule id="300003" level="3">
        <if_sid>5701</if_sid>
        <description>change level of 'Possible attack on the ssh server' alert</description>
    </rule>

    <rule id="300004" level="3">
        <if_sid>553</if_sid>
        <description>change level of file deleted syscheck alert</description>
    </rule>

    <rule id="300005" level="3">
        <if_sid>2502</if_sid>
        <description>change level of missed passwords alert</description>
    </rule>

    <rule id="300006" level="3">
        <if_sid>80710</if_sid>
        <description>change level of the auditd promiscuous interface alert</description>
    </rule>

     <rule id="300007" level="3">
        <if_sid>5104</if_sid>
        <description>change level of promiscuous interface alert</description>
    </rule>

    <rule id="300008" level="0">
        <if_sid>592</if_sid>
        <description>ignore "file size reduced alerts" caused by logrotate</description>
    </rule>

    <!--
    USB Connected alert - useful to detecting "evil maid" attacks
    Apr 27 10:05:15 example kernel: [4916275.887999] usb 4-5.3: New USB device found, idVendor=1b1c, idProduct=1a0e
    -->
    <rule id="300009" level="2">
        <decoded_as>kernel</decoded_as>
        <match>New USB device found</match>
        <description>New USB device attached</description>
    </rule>


    <!-- Tune out USB connected alerts for known devices  -->
    <rule id="300010" level="1">
        <if_sid>100035</if_sid>
        <match>idVendor=1058, idProduct=25f8|idVendor=1058, idProduct=25f9|idVendor=2109, idProduct=2812|idVendor=046d, idProduct=c52b</match>
        <description>Tune out USB connected alerts for known devices</description>
    </rule>

    <!-- Generate test alert to verify that Wazuh email notifications are working -->
    <!-- run `logger --tag wazuh-test test-alert` to generate a test alert-->
    <rule id="400000" level="10">
        <program_name>wazuh-test</program_name>
        <match>test-alert</match>
        <description>TEST: Wazuh test alert</description>
    </rule>


</group>
ID range	Comment
100000-199999	Contains tuning rules that I believe are appropriate for all systems.
200000-299999	Contains custom auditd rules.
300000-399999	Contains placeholder tuning rules that are meant to be applied as needed.
	<group name="local,audit,">


	<!-- type=SYSCALL msg=audit(1611524949.832:4392): arch=c000003e syscall=188 success=yes exit=0 a0=55c3831459a0 a1=7fb56242db8f a2=55c383513170 a3=1c items=1 ppid=26276 pid=29339 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=131 comm="vim" exe="/usr/bin/vim.basic" key="pam" -->
	<rule id="200001" level="13">
	<if_sid>80700</if_sid>
	<field name="audit.key">pam</field>
	<field name="audit.type">SYSCALL</field>
	<description>Audit: PAM modification: $(audit.exe) with loginuid user $(audit.auid)</description>
	</rule>

	<!-- type=SYSCALL msg=audit(1611600093.916:7559948): arch=c000003e syscall=90 success=yes exit=0 a0=aaf3c0 a1=8180 a2=7ffc9c5de0c0 a3=7ffc9c5ddee0 items=1 ppid=9657 pid=15162 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=123783 comm="vim" exe="/usr/bin/vim" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="sshd" type=PATH msg=audit(1611600093.916:7559948): item=0 name="/etc/ssh/sshd_config" inode=100990242 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 -->
	<rule id="200002" level="10">
	<if_sid>80700</if_sid>
	<field name="audit.key">sshd</field>
	<field name="audit.type">SYSCALL</field>
	<description>Audit: SSHD modification: $(audit.exe) with loginuid user $(audit.auid)</description>
	</rule>

	<!-- type=SYSCALL msg=audit(1611524694.472:4160): arch=c000003e syscall=59 success=yes exit=0 a0=1920ba8 a1=15a9748 a2=18f0008 a3=598 items=2 ppid=26276 pid=28922 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=131 comm="curl" exe="/usr/bin/curl" key="susp_activity" -->
	<rule id="200003" level="7">
	<if_sid>80700</if_sid>
	<field name="audit.key">susp_activity</field>
	<field name="audit.type">SYSCALL</field>
	<description>Audit: suspicious activity: $(audit.exe) with loginuid user $(audit.auid)</description>
	</rule>

	<!-- type=SYSCALL msg=audit(1611601081.635:7560263): arch=c000003e syscall=59 success=yes exit=0 a0=1c8f300 a1=1d34490 a2=1cb1170 a3=7ffd703dfd70 items=2 ppid=9657 pid=15556 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=123783 comm="tcpdump" exe="/usr/sbin/tcpdump" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="sbin_susp" type=EXECVE msg=audit(1611601081.635:7560263): argc=2 a0="tcpdump" a1="-h" type=PATH msg=audit(1611601081.635:7560263): item=0 name="/sbin/tcpdump" inode=68168567 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:netutils_exec_t:s0 objtype=NORMAL type=PATH msg=audit(1611601081.635:7560263): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=67173377 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL -->
	<rule id="200004" level="10">
	<if_sid>80700</if_sid>
	<field name="audit.key">sbin_susp</field>
	<field name="audit.type">SYSCALL</field>
	<description>Audit: suspicious sbin activity: $(audit.exe) with loginuid user $(audit.auid)</description>
	</rule>

	<rule id="200005" level="7">
	<if_sid>80700</if_sid>
	<field name="audit.key">actions</field>
	<field name="audit.type">SYSCALL</field>
	<description>Audit: modification to sudoers: $(audit.exe) with loginuid user $(audit.auid)</description>
	</rule>

	<rule id="200006" level="7">
	<if_sid>80700</if_sid>
	<field name="audit.key">init</field>
	<field name="audit.type">SYSCALL</field>
	<description>Audit: modification to init: $(audit.exe) with loginuid user $(audit.auid)</description>
	</rule>

	<!-- type=SYSCALL msg=audit(1611600919.597:7560209): arch=c000003e syscall=188 success=yes exit=0 a0=16873c0 a1=7f1c95c86ddf a2=1888700 a3=1c items=1 ppid=9657 pid=15542 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=123783 comm="vim" exe="/usr/bin/vim" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="systemwide_preloads" type=PATH msg=audit(1611600919.597:7560209): item=0 name="/etc/ld.so.preload" inode=33556406 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:ld_so_cache_t:s0 objtype=NORMAL -->
	<rule id="200007" level="10">
	<if_sid>80700</if_sid>
	<field name="audit.key">systemwide_preloads</field>
	<field name="audit.type">SYSCALL</field>
	<description>Audit: modification to LDPRELOAD: $(audit.exe) with loginuid user $(audit.auid)</description>
	</rule>

	<!-- type=SYSCALL msg=audit(1611596313.820:7502004): arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=1d32890 a2=90800 a3=0 items=1 ppid=9657 pid=10910 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=123783 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="power_abuse" type=PATH msg=audit(1611596313.820:7502004): item=0 name="/home/" inode=33554618 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:home_root_t:s0 -->
	<rule id="200008" level="13">
	<if_sid>80700</if_sid>
	<field name="audit.key">power_abuse</field>
	<field name="audit.type">SYSCALL</field>
	<field negate="yes" name="audit.exe">/usr/bin/bash</field>
	<description>Audit: possible root power abuse: $(audit.exe) with loginuid user $(audit.auid)</description>
	</rule>

	<rule id="200009" level="0">
	<if_sid>200003</if_sid>
	<field name="audit.exe">/usr/bin/ssh\|/usr/bin/curl</field>
	<description>don't alert on suspicious activity for certain whitelisted processes</description>
	</rule>


	<rule id="200010" level="7">
	<if_sid>80700</if_sid>
	<field name="audit.key">rootkey</field>
	<field name="audit.type">SYSCALL</field>
	<description>Audit: modification to /root/.ssh: $(audit.exe) with loginuid user $(audit.auid)</description>
	</rule>

	<rule id="200011" level="7">
	<if_sid>80700</if_sid>
	<field name="audit.key">mail</field>
	<field name="audit.type">SYSCALL</field>
	<description>Audit: modification to mail config: $(audit.exe) with loginuid user $(audit.auid)</description>
	</rule>

	<rule id="200012" level="7">
	<if_sid>80700</if_sid>
	<field name="audit.key">pkexec</field>
	<field name="audit.type">SYSCALL</field>
	<description>Audit: pkexec invocation (possible privilege escalation CVE-2021-4034): $(audit.exe) with loginuid user $(audit.auid)</description>
	</rule>

	</group>
	<group name="local,syslog,sshd,">

	<!-- ignore docker rootcheck alerts -->
	<rule id="100001" level="0">
	<if_sid>510</if_sid>
	<match>/var/lib/docker</match>
	<description>ignore docker rootcheck alerts</description>
	</rule>

	<rule id="100002" level="3">
	<if_sid>502,1002,1003</if_sid>
	<options>no_email_alert</options>
	<description>turn off email alerts for unknown problems and large syslog alerts</description>
	</rule>

	<rule id="100003" level="0">
	<if_sid>2832,2833,2834</if_sid>
	<description>decreased level on crontab rules</description>
	</rule>


	<rule id="300002" level="3">
	<if_sid>550</if_sid>
	<description>change level of syscheck alert</description>
	</rule>

	<rule id="300003" level="3">
	<if_sid>5701</if_sid>
	<description>change level of 'Possible attack on the ssh server' alert</description>
	</rule>

	<rule id="300004" level="3">
	<if_sid>553</if_sid>
	<description>change level of file deleted syscheck alert</description>
	</rule>

	<rule id="300005" level="3">
	<if_sid>2502</if_sid>
	<description>change level of missed passwords alert</description>
	</rule>

	<rule id="300006" level="3">
	<if_sid>80710</if_sid>
	<description>change level of the auditd promiscuous interface alert</description>
	</rule>

	<rule id="300007" level="3">
	<if_sid>5104</if_sid>
	<description>change level of promiscuous interface alert</description>
	</rule>

	<rule id="300008" level="0">
	<if_sid>592</if_sid>
	<description>ignore "file size reduced alerts" caused by logrotate</description>
	</rule>

	<!--
	USB Connected alert - useful to detecting "evil maid" attacks
	Apr 27 10:05:15 example kernel: [4916275.887999] usb 4-5.3: New USB device found, idVendor=1b1c, idProduct=1a0e
	-->
	<rule id="300009" level="2">
	<decoded_as>kernel</decoded_as>
	<match>New USB device found</match>
	<description>New USB device attached</description>
	</rule>


	<!-- Tune out USB connected alerts for known devices -->
	<rule id="300010" level="1">
	<if_sid>100035</if_sid>
	<match>idVendor=1058, idProduct=25f8\|idVendor=1058, idProduct=25f9\|idVendor=2109, idProduct=2812\|idVendor=046d, idProduct=c52b</match>
	<description>Tune out USB connected alerts for known devices</description>
	</rule>

	<!-- Generate test alert to verify that Wazuh email notifications are working -->
	<!-- run `logger --tag wazuh-test test-alert` to generate a test alert-->
	<rule id="400000" level="10">
	<program_name>wazuh-test</program_name>
	<match>test-alert</match>
	<description>TEST: Wazuh test alert</description>
	</rule>


	</group>