Wazuh ruleset is used to detect attacks, intrusions, software misuse, configuration problems, application errors, malware, rootkits, system anomalies or security policy violations.
The ruleset includes compliance mapping with PCI DSS v3.1 and CIS.
βββ wazuh/ruleset
β βββ decoders # Wazuh decoders created/updated by Wazuh
β βββ rules # Wazuh rules created/updated by Wazuh
β βββ rootcheck # Wazuh rootchecks created/updated by Wazuh
β βββ sca # Security Configuration Assessment created/updated by Wazuh
β βββ lists # CDB lists created/updated by Wazuh
|
β βββ testing # Ruleset test scripts
|
β βββ README.md
Full documentation at documentation.wazuh.com
If you have created new rules, decoders or rootchecks and you would like to contribute to our repository, please fork our Github repository and submit a pull request. To make a pull request for new rules and decoders, follow these instructions:
-
If your rules and decoders are related to existent ones in the ruleset, you should add them at the end of the corresponding file. If they are made for a new application or device that Wazuh does not currently support, you should create a new
XMLfollowing the title format. For example, if the lastXMLfile is0620-last-xml_rules.xml, the next one should be named0625-new_integration.xml. Please, make sure your rules do not use an existentrule id. -
Make sure to create your
test.inifile. You may find examples under thewazuh/ruleset/testing/testsfolder. Then add it to the repository along with the rest of the tests. -
Create the pull request
If you are not familiar with Github, you can also share them through our users mailing list, to which you can subscribe by sending an email to wazuh+subscribe@googlegroups.com. As well do not hesitate to request new rules or rootchecks that you would like to see running in Wazuh and our team will do our best to make it happen.