Updating rule descriptions

zachroofsec · Nov 23, 2020 · 6ede1c1 · 6ede1c1
1 parent 1cacc65
commit 6ede1c1
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 9 deletions.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -18,9 +18,11 @@ services:
       - ELASTIC_USERNAME=admin
       - ELASTIC_PASSWORD=admin
       - FILEBEAT_SSL_VERIFICATION_MODE=none
-#    volumes:
-#      - './wazuh-manager-container/misc/local_rules.xml:/wazuh-config-mount/etc/rules/local_rules.xml'
-#      - './wazuh-manager-container/misc/ossec.conf:/wazuh-config-mount/etc/ossec.conf'
+    volumes:
+       # For more context on wazuh-config-mount, please view...
+       # https://documentation.wazuh.com/3.7/docker/container-usage.html#mount-custom-wazuh-configuration-files
+      - './wazuh-manager-container/misc/local_rules.xml:/wazuh-config-mount/etc/rules/local_rules.xml'
+      - './wazuh-manager-container/misc/ossec.conf:/wazuh-config-mount/etc/ossec.conf'
 
   elasticsearch:
     image: amazon/opendistro-for-elasticsearch:1.10.1

diff --git a/docker-compose_build.yml b/docker-compose_build.yml
@@ -18,9 +18,11 @@ services:
       - ELASTIC_USERNAME=admin
       - ELASTIC_PASSWORD=admin
       - FILEBEAT_SSL_VERIFICATION_MODE=none
-#    volumes:
-#      - './wazuh-manager-container/misc/local_rules.xml:/wazuh-config-mount/etc/rules/local_rules.xml'
-#      - './wazuh-manager-container/misc/ossec.conf:/wazuh-config-mount/etc/ossec.conf'
+    volumes:
+      # For more context on wazuh-config-mount, please view...
+      # https://documentation.wazuh.com/3.7/docker/container-usage.html#mount-custom-wazuh-configuration-files
+      - './wazuh-manager-container/misc/local_rules.xml:/wazuh-config-mount/etc/rules/local_rules.xml'
+      - './wazuh-manager-container/misc/ossec.conf:/wazuh-config-mount/etc/ossec.conf'
 
   elasticsearch:
     image: amazon/opendistro-for-elasticsearch:1.10.1

diff --git a/wazuh-manager-container/misc/local_rules.xml b/wazuh-manager-container/misc/local_rules.xml
@@ -1,15 +1,22 @@
 <group name="local,">
-<!--  Custom Rules ID: 100000 - 120000 -->
+  <!--  Custom Rules ID: 100000 - 120000 -->
+
   <rule id="100000" level="11" ignore="1" noalert="">
+    <!--    ossec.conf configures syscheck to monitor:     -->
+    <!--    /etc, /usr/bin, /usr/sbin, /bin, /sbin, /boot  -->
     <if_group>syscheck</if_group>
     <match>/etc/ld.so.preload</match>
-    <description>POTENTIAL MALWARE (or INVISIBLE PROCESS) - Changes to /etc/ld.so.preload </description>
+    <description>
+        POTENTIAL MALWARE (or INVISIBLE PROCESS) - Changes to /etc/ld.so.preload detected
+    </description>
     <group>invisible_process</group>
   </rule>
 
     <rule id="100100" level="11" frequency="2" timeframe="300" ignore="300" noalert="">
         <if_matched_group>invisible_process</if_matched_group>
-        <description>ESCALATION - MULTIPLE signs of malware (or invisible processes)</description>
+        <description>
+            ESCALATION - MULTIPLE signs of potential malware (or invisible processes)
+        </description>
         <group>escalation</group>
     </rule>
 </group>