codeenigma · drazenCE · May 27, 2025 · May 27, 2025 · Jun 16, 2025
diff --git a/roles/debian/wazuh/files/custom_wazuh_rules.xml b/roles/debian/wazuh/files/custom_wazuh_rules.xml
@@ -1,18 +1,31 @@
 <!-- Custom rules -->
 <group name="web,accesslog">
-  <rule id="31151" level="10" frequency="200" timeframe="3600" overwrite="yes">
-    <if_matched_sid>31101</if_matched_sid>
+  <!-- Disable original 31151 rule -->
+  <rule id="31151" level="0" overwrite="yes">
+    <description>Disabled to prevent false positives.</description>
+  </rule>
+
+  <!-- Match HTTP 401 Unauthorized responses using regex -->
+  <rule id="41101" level="5">
+    <if_sid>31151</if_sid>
+    <regex type="pcre2">^\S+\s+-\s+(?!-)\S+\s+\[.*?\]\s+".*?"\s+401\s</regex>
+    <description>HTTP 401 Unauthorized response</description>
+    <group>web,accesslog</group>
+  </rule>
+
+  <!-- Correlation rule for multiple 401s -->
+  <rule id="41151" level="10" frequency="200" timeframe="3600">
+    <if_matched_sid>41101</if_matched_sid>
     <same_source_ip />
-    <description>Multiple web server 400 error codes</description>
-    <description>from the same source IP.</description>
+    <description>Multiple 401 Unauthorized responses from the same source IP</description>
     <mitre>
       <id>T1595.002</id>
     </mitre>
-    <group>web_scan,recon,pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
+    <group>web_scan,recon</group>
   </rule>
 </group>
 
-<group name="whitelist,">
+<group name="whitelist">
   <rule id="100102" level="0">
     <if_sid>521</if_sid>
     <match>scantem</match>