From 34565c10fced9652e959c79f2ec1aa7d05d5fc2a Mon Sep 17 00:00:00 2001
From: Drazen <drazen.szep@codeenigma.com>
Date: Tue, 27 May 2025 14:22:19 +0200
Subject: [PATCH 1/2] Refactoring-custom-wazuh-rules

---
 .../debian/wazuh/files/custom_wazuh_rules.xml | 25 ++++++++++++++-----
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/roles/debian/wazuh/files/custom_wazuh_rules.xml b/roles/debian/wazuh/files/custom_wazuh_rules.xml
index 8248f3013..c88f2d702 100644
--- a/roles/debian/wazuh/files/custom_wazuh_rules.xml
+++ b/roles/debian/wazuh/files/custom_wazuh_rules.xml
@@ -1,18 +1,31 @@
 <!-- Custom rules -->
 <group name="web,accesslog">
-  <rule id="31151" level="10" frequency="200" timeframe="3600" overwrite="yes">
-    <if_matched_sid>31101</if_matched_sid>
+  <!-- Disable original 31151 rule -->
+  <rule id="31151" level="0" overwrite="yes">
+    <description>Disabled to prevent false positives.</description>
+  </rule>
+
+  <!-- Match HTTP 401 Unauthorized responses using regex -->
+  <rule id="41101" level="5">
+    <if_sid>31151</if_sid>
+    <regex>\s401\s</regex>
+    <description>HTTP 401 Unauthorized response</description>
+    <group>web,accesslog</group>
+  </rule>
+
+  <!-- Correlation rule for multiple 401s -->
+  <rule id="41151" level="10" frequency="200" timeframe="3600">
+    <if_matched_sid>41101</if_matched_sid>
     <same_source_ip />
-    <description>Multiple web server 400 error codes</description>
-    <description>from the same source IP.</description>
+    <description>Multiple 401 Unauthorized responses from the same source IP</description>
     <mitre>
       <id>T1595.002</id>
     </mitre>
-    <group>web_scan,recon,pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
+    <group>web_scan,recon</group>
   </rule>
 </group>
 
-<group name="whitelist,">
+<group name="whitelist">
   <rule id="100102" level="0">
     <if_sid>521</if_sid>
     <match>scantem</match>

From c1cbb489fbf309e9be0d25a61b297390a5667ef6 Mon Sep 17 00:00:00 2001
From: drazenCE <140631110+drazenCE@users.noreply.github.com>
Date: Mon, 16 Jun 2025 08:03:05 +0200
Subject: [PATCH 2/2] Update custom_wazuh_rules.xml

---
 roles/debian/wazuh/files/custom_wazuh_rules.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/debian/wazuh/files/custom_wazuh_rules.xml b/roles/debian/wazuh/files/custom_wazuh_rules.xml
index c88f2d702..f9f84cb2c 100644
--- a/roles/debian/wazuh/files/custom_wazuh_rules.xml
+++ b/roles/debian/wazuh/files/custom_wazuh_rules.xml
@@ -8,7 +8,7 @@
   <!-- Match HTTP 401 Unauthorized responses using regex -->
   <rule id="41101" level="5">
     <if_sid>31151</if_sid>
-    <regex>\s401\s</regex>
+    <regex type="pcre2">^\S+\s+-\s+(?!-)\S+\s+\[.*?\]\s+".*?"\s+401\s</regex>
     <description>HTTP 401 Unauthorized response</description>
     <group>web,accesslog</group>
   </rule>