Hi,

We are trying to load the rules sets into wazuh 3.8 but face issues trying to restart wazuh with errors such as

ossec-testrule: CRITICAL: rules_list: Group 'windows_application' not found. Invalid 'if_group'.

and

rules_list: Signature ID '61600' not found. Invalid 'if_sid

We would expect that these rule and group ids would be present in the repository. However, this does not seem to be the case. Is there another rules.xml that we are missing to get these rules working from OSSEC not Wazuh (even though Wazuh is OSSEC)?

Hi, I use Wazuh 3.12.3.

I would like use your rule :

<group name="command and control">

<rule id="256000" level="0">
  <if_group>sysmon_event3</if_group>
  <list field="win.eventdata.destinationIp" lookup="address_match_key">etc/lists/emotet-list</list>
  <description>IP connection to Emotet Command and Control</description>
  <group>emotet,</group>
</rule>

But where is /etc/list/emotet-list ? What's inside?

As title :)

https://github.com/olafhartong/sysmon-modular

Hi
it looks wonderful configuration to use, but I did not manage to use it on the latest Wazuh
it might be that they add some rule already "0330-sysmon_rules.xml" in the path:
/var/ossec/ruleset/rules/

The error looks like this:

Feb 29 19:48:27 manager systemd[1]: Starting Wazuh manager...
Feb 29 19:48:27 manager env[6611]: 2020/02/29 19:48:27 ossec-analysisd: ERROR: Duplicate rule ID:255571
Feb 29 19:48:27 manager env[6611]: 2020/02/29 19:48:27 ossec-analysisd: CRITICAL: (1220): Error loading the rules: 'etc/rules/local_rules.xml'.
Feb 29 19:48:27 manager env[6611]: ossec-analysisd: Configuration error. Exiting
Feb 29 19:48:27 manager systemd[1]: wazuh-manager.service: control process exited, code=exited status=1
Feb 29 19:48:27 manager systemd[1]: Failed to start Wazuh manager.
Feb 29 19:48:27 manager systemd[1]: Unit wazuh-manager.service entered failed state.
Feb 29 19:48:27 manager systemd[1]: wazuh-manager.service failed.