From 6ede1c147b0d3eb29777cc900bc05c8029038e0d Mon Sep 17 00:00:00 2001
From: zachroofsec <zroof85@gmail.com>
Date: Mon, 23 Nov 2020 04:08:24 -0500
Subject: [PATCH] Updating rule descriptions

---
 docker-compose.yml                           |  8 +++++---
 docker-compose_build.yml                     |  8 +++++---
 wazuh-manager-container/misc/local_rules.xml | 13 ++++++++++---
 3 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 95009ef..7820a49 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -18,9 +18,11 @@ services:
       - ELASTIC_USERNAME=admin
       - ELASTIC_PASSWORD=admin
       - FILEBEAT_SSL_VERIFICATION_MODE=none
-#    volumes:
-#      - './wazuh-manager-container/misc/local_rules.xml:/wazuh-config-mount/etc/rules/local_rules.xml'
-#      - './wazuh-manager-container/misc/ossec.conf:/wazuh-config-mount/etc/ossec.conf'
+    volumes:
+       # For more context on wazuh-config-mount, please view...
+       # https://documentation.wazuh.com/3.7/docker/container-usage.html#mount-custom-wazuh-configuration-files
+      - './wazuh-manager-container/misc/local_rules.xml:/wazuh-config-mount/etc/rules/local_rules.xml'
+      - './wazuh-manager-container/misc/ossec.conf:/wazuh-config-mount/etc/ossec.conf'
 
   elasticsearch:
     image: amazon/opendistro-for-elasticsearch:1.10.1
diff --git a/docker-compose_build.yml b/docker-compose_build.yml
index 452d2c3..1d0e7c9 100644
--- a/docker-compose_build.yml
+++ b/docker-compose_build.yml
@@ -18,9 +18,11 @@ services:
       - ELASTIC_USERNAME=admin
       - ELASTIC_PASSWORD=admin
       - FILEBEAT_SSL_VERIFICATION_MODE=none
-#    volumes:
-#      - './wazuh-manager-container/misc/local_rules.xml:/wazuh-config-mount/etc/rules/local_rules.xml'
-#      - './wazuh-manager-container/misc/ossec.conf:/wazuh-config-mount/etc/ossec.conf'
+    volumes:
+      # For more context on wazuh-config-mount, please view...
+      # https://documentation.wazuh.com/3.7/docker/container-usage.html#mount-custom-wazuh-configuration-files
+      - './wazuh-manager-container/misc/local_rules.xml:/wazuh-config-mount/etc/rules/local_rules.xml'
+      - './wazuh-manager-container/misc/ossec.conf:/wazuh-config-mount/etc/ossec.conf'
 
   elasticsearch:
     image: amazon/opendistro-for-elasticsearch:1.10.1
diff --git a/wazuh-manager-container/misc/local_rules.xml b/wazuh-manager-container/misc/local_rules.xml
index 07f3923..ebf6ca3 100644
--- a/wazuh-manager-container/misc/local_rules.xml
+++ b/wazuh-manager-container/misc/local_rules.xml
@@ -1,15 +1,22 @@
 <group name="local,">
-<!--  Custom Rules ID: 100000 - 120000 -->
+  <!--  Custom Rules ID: 100000 - 120000 -->
+
   <rule id="100000" level="11" ignore="1" noalert="">
+    <!--    ossec.conf configures syscheck to monitor:     -->
+    <!--    /etc, /usr/bin, /usr/sbin, /bin, /sbin, /boot  -->
     <if_group>syscheck</if_group>
     <match>/etc/ld.so.preload</match>
-    <description>POTENTIAL MALWARE (or INVISIBLE PROCESS) - Changes to /etc/ld.so.preload </description>
+    <description>
+        POTENTIAL MALWARE (or INVISIBLE PROCESS) - Changes to /etc/ld.so.preload detected
+    </description>
     <group>invisible_process</group>
   </rule>
 
     <rule id="100100" level="11" frequency="2" timeframe="300" ignore="300" noalert="">
         <if_matched_group>invisible_process</if_matched_group>
-        <description>ESCALATION - MULTIPLE signs of malware (or invisible processes)</description>
+        <description>
+            ESCALATION - MULTIPLE signs of potential malware (or invisible processes)
+        </description>
         <group>escalation</group>
     </rule>
 </group>