codeenigma · drazenCE · May 5, 2025 · May 5, 2025 · May 5, 2025
diff --git a/roles/debian/wazuh/files/custom_wazuh_rules.xml b/roles/debian/wazuh/files/custom_wazuh_rules.xml
@@ -1,18 +1,14 @@
-<!-- Local rules -->
-<group name="local,">
-  <!-- Rule to detect a single 401 error -->
-  <rule id="100100" level="5">
-    <description>HTTP 401 response code</description>
-    <decoded_as>web-accesslog</decoded_as>
-    <match>" 401 </match>
-  </rule>
-
-  <!-- Frequency rule to detect multiple 401 errors -->
-  <rule id="100101" level="10" frequency="200" timeframe="3600">
-    <if_matched_sid>100100</if_matched_sid>
+<!-- Custom rules -->
+<group name="web,accesslog">
+  <rule id="31151" level="10" frequency="200" timeframe="3600" overwrite="yes">
+    <if_matched_sid>31101</if_matched_sid>
     <same_source_ip />
-    <description>Multiple 401 errors from same source IP (possible brute force attempt)</description>
-    <options>no_full_log</options>
+    <description>Multiple web server 400 error codes</description>
+    <description>from the same source IP.</description>
+    <mitre>
+      <id>T1595.002</id>
+    </mitre>
+    <group>web_scan,recon,pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
   </rule>
 </group>