From 87cd7c214f03c32861a8f0b10978b4b137ecd73f Mon Sep 17 00:00:00 2001
From: root <carlos.dominguez@wazuh.com>
Date: Fri, 9 Nov 2018 10:35:52 +0000
Subject: [PATCH] adding custom rules/decoders files

---
 .../decoders/sample_custom_decoders.xml       | 25 +++++++++++++++++++
 .../rules/sample_custom_rules.xml             | 18 +++++++++++++
 .../ansible-wazuh-manager/defaults/main.yml   |  3 +++
 .../ansible-wazuh-manager/tasks/main.yml      | 24 ++++++++++++++++++
 4 files changed, 70 insertions(+)
 create mode 100644 roles/wazuh/ansible-wazuh-manager/custom_ruleset/decoders/sample_custom_decoders.xml
 create mode 100644 roles/wazuh/ansible-wazuh-manager/custom_ruleset/rules/sample_custom_rules.xml

diff --git a/roles/wazuh/ansible-wazuh-manager/custom_ruleset/decoders/sample_custom_decoders.xml b/roles/wazuh/ansible-wazuh-manager/custom_ruleset/decoders/sample_custom_decoders.xml
new file mode 100644
index 000000000..bf5947c72
--- /dev/null
+++ b/roles/wazuh/ansible-wazuh-manager/custom_ruleset/decoders/sample_custom_decoders.xml
@@ -0,0 +1,25 @@
+<!-- Local Decoders -->
+
+<!-- Modify it at your will. -->
+
+<!--
+  - Allowed static fields:
+  - location   - where the log came from (only on FTS)
+  - srcuser    - extracts the source username
+  - dstuser    - extracts the destination (target) username
+  - user       - an alias to dstuser (only one of the two can be used)
+  - srcip      - source ip
+  - dstip      - dst ip
+  - srcport    - source port
+  - dstport    - destination port
+  - protocol   - protocol
+  - id         - event id
+  - url        - url of the event
+  - action     - event action (deny, drop, accept, etc)
+  - status     - event status (success, failure, etc)
+  - extra_data - Any extra data
+-->
+
+<decoder name="sample_custom_decoder">
+    <program_name>sample_custom_decoder</program_name>
+</decoder>
diff --git a/roles/wazuh/ansible-wazuh-manager/custom_ruleset/rules/sample_custom_rules.xml b/roles/wazuh/ansible-wazuh-manager/custom_ruleset/rules/sample_custom_rules.xml
new file mode 100644
index 000000000..e5fb35634
--- /dev/null
+++ b/roles/wazuh/ansible-wazuh-manager/custom_ruleset/rules/sample_custom_rules.xml
@@ -0,0 +1,18 @@
+<!-- Local rules -->
+
+<!-- Modify it at your will. -->
+
+<!-- Example -->
+<group name="local,syslog,sshd,">
+
+  <!--
+  Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
+  -->
+  <rule id="200001" level="5">
+    <if_sid>5716</if_sid>
+    <srcip>1.1.1.1</srcip>
+    <description>sshd: authentication failed from IP 1.1.1.1.</description>
+    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
+  </rule>
+
+</group>
diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
index 67c83c0a0..559a2bc02 100644
--- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
@@ -167,6 +167,9 @@ wazuh_manager_config:
       executable: 'route-null.cmd'
       expect: 'srcip'
       timeout_allowed: 'yes'
+  ruleset:
+      rules_path: '/etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-manager/custom_ruleset/rules/'
+      decoders_path: '/etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-manager/custom_ruleset/decoders/'
   rule_exclude:
     - '0215-policy_rules.xml'
   active_responses:
diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml
index 950dfe064..6706f17ff 100644
--- a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml
+++ b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml
@@ -96,6 +96,18 @@
     - config
     - rules
 
+- name: Adding local rules files
+  copy: src="{{ wazuh_manager_config.ruleset.rules_path }}"
+        dest=/var/ossec/etc/rules/
+        owner=root
+        group=ossec
+        mode=0640
+  notify: restart wazuh-manager
+  tags:
+    - init
+    - config
+    - rules
+
 - name: Installing the local_decoder.xml
   template: src=var-ossec-rules-local_decoder.xml.j2
             dest=/var/ossec/etc/decoders/local_decoder.xml
@@ -108,6 +120,18 @@
     - config
     - rules
 
+- name: Adding local decoders files
+  copy: src="{{ wazuh_manager_config.ruleset.decoders_path }}"
+        dest=/var/ossec/etc/decoders/
+        owner=root
+        group=ossec
+        mode=0640
+  notify: restart wazuh-manager
+  tags:
+    - init
+    - config
+    - rules
+
 - name: Configure the shared-agent.conf
   template:
     src: var-ossec-etc-shared-agent.conf.j2