File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -33,3 +33,41 @@ rule wazuh_mitre_db: override {
3333 condition :
3434 filesize > 10MB and filesize < 20MB and all of them
3535
36+
37+ rule wazuh_agentd : override {
38+ meta :
39+ description = " /var/ossec/bin/wazuh-agentd — Wazuh HIDS agent daemon "
40+ rootkit = " medium "
41+ rootkit_high = " medium "
42+ curl_easy_exfil = " low "
43+ load_agent_with_payload = " low "
44+
45+ strings :
46+ $ wazuh_agentd = " wazuh-agentd " fullword
47+ $ libwazuhext = " libwazuhext.so "
48+ $ ossec_conf = " etc/ossec.conf "
49+ $ wazuh_home = " Wazuh home directory: %s "
50+ $ reload_agent = " reloadAgent " fullword
51+
52+ condition :
53+ filesize < 2MB and all of them
54+
55+
56+ rule wazuh_syscheckd : override {
57+ meta :
58+ description = " /var/ossec/bin/wazuh-syscheckd — Wazuh file integrity monitoring / rootcheck daemon "
59+ rootkit = " medium "
60+ rootkit_high = " medium "
61+ cmd_dev_null_quoted = " medium "
62+ proc_s_exe = " medium "
63+
64+ strings :
65+ $ libwazuhext = " libwazuhext.so "
66+ $ wazuh_db_lost = " Connection with wazuh-db lost. Reconnecting. "
67+ $ docker_mod = " wazuh-modulesd:docker-listener "
68+ $ cti_api = " https://cti.wazuh.com/api/v1/catalog/ "
69+ $ audit_rules = " /etc/audit/rules.d/audit_rules_wazuh.rules "
70+
71+ condition :
72+ filesize < 2MB and all of them
73+
You can’t perform that action at this time.
0 commit comments