This project contains custom decoders and rules for Wazuh, created by me. Some rules are based on SOC Fortress rules, and some are my own decoders and rules.
- Put rules and decoder files under
/var/ossec/etc/rulesand/var/ossec/etc/decoders. - Put under
/var/ossec/integrationsfor integrations script - Put under
/var/ossec/active-response/bin/on agent side for active response script.
You can install the Wazuh Agent by running the following command:
For Linux agent
curl -sSL https://raw.githubusercontent.com/bayusky/wazuh-custom-rules-and-decoders/main/install-agent.sh -o install-agent.sh && bash install-agent.shFor Windows agent
Invoke-WebRequest https://raw.githubusercontent.com/bayusky/wazuh-custom-rules-and-decoders/main/install-agent.ps1 -OutFile install-agent.ps1; powershell -ExecutionPolicy Bypass -File .\\install-agent.ps1The script will ask about:
- Wazuh Agent version
- Wazuh Manager IP address
- Wazuh Agent group (empty for 'default')
- Authentication key (optional)
- Install quarantine-malware.sh (optional)
Note:
For security, always review scripts before running them directly from the internet.
Feel free to use it, you can redistribute it and/or modify it under the terms of GPLv2. Cybersecurity is hard, so let's work together.
I will update rules and decoders if the projects I work on require them.
If you find my repository useful, I'm gladly accept a cup of coffee at ko-fi or trakteer