From ae2f71bbb710037dffe8198b6a55ec9cfa35213a Mon Sep 17 00:00:00 2001
From: egibs <20933572+egibs@users.noreply.github.com>
Date: Mon, 20 Apr 2026 10:45:29 -0500
Subject: [PATCH] chore(rules): 2026/04/20 FPR

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 rules/false_positives/wazuh.yara | 38 ++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/rules/false_positives/wazuh.yara b/rules/false_positives/wazuh.yara
index bc3c9ce7b..f972847c2 100644
--- a/rules/false_positives/wazuh.yara
+++ b/rules/false_positives/wazuh.yara
@@ -33,3 +33,41 @@ rule wazuh_mitre_db: override {
   condition:
     filesize > 10MB and filesize < 20MB and all of them
 }
+
+rule wazuh_agentd: override {
+  meta:
+    description             = "/var/ossec/bin/wazuh-agentd — Wazuh HIDS agent daemon"
+    rootkit                 = "medium"
+    rootkit_high            = "medium"
+    curl_easy_exfil         = "low"
+    load_agent_with_payload = "low"
+
+  strings:
+    $wazuh_agentd = "wazuh-agentd" fullword
+    $libwazuhext  = "libwazuhext.so"
+    $ossec_conf   = "etc/ossec.conf"
+    $wazuh_home   = "Wazuh home directory: %s"
+    $reload_agent = "reloadAgent" fullword
+
+  condition:
+    filesize < 2MB and all of them
+}
+
+rule wazuh_syscheckd: override {
+  meta:
+    description         = "/var/ossec/bin/wazuh-syscheckd — Wazuh file integrity monitoring / rootcheck daemon"
+    rootkit             = "medium"
+    rootkit_high        = "medium"
+    cmd_dev_null_quoted = "medium"
+    proc_s_exe          = "medium"
+
+  strings:
+    $libwazuhext   = "libwazuhext.so"
+    $wazuh_db_lost = "Connection with wazuh-db lost. Reconnecting."
+    $docker_mod    = "wazuh-modulesd:docker-listener"
+    $cti_api       = "https://cti.wazuh.com/api/v1/catalog/"
+    $audit_rules   = "/etc/audit/rules.d/audit_rules_wazuh.rules"
+
+  condition:
+    filesize < 2MB and all of them
+}