Correction Required: Rules Dependency Issue in "Detecting Auto Color Malware with Wazuh" Blog

[bonyjohn05]

📌 Request Details

Required Information

• Target version: 4.12.0

• Request type

  • Fixes or corrections

• Affected Documentation

  • Documentation section(s): Rules configuration section in the blog
  • Specific page URLs: https://wazuh.com/blog/detecting-auto-color-malware-with-wazuh/

Description

In the referenced blog, two separate sets of rules are mentioned:

1. Parent rules (Rule IDs: 200150 to 200202) — saved in the sysmonforlinux_rule.xml file.

2. Child rules (Rule IDs: 100401 to 100405) — recommended to be saved in the local_rules.xml file.

However, this can cause a problem due to how Wazuh analyzes rule files.

⚠️ Issue Explained

Wazuh processes rule files in alphabetical order by file name. This means:

local_rules.xml is loaded before sysmonforlinux_rule.xml.

As a result, Wazuh tries to process the child rules (100401–100405) before the parent rules (200150–200202), even though the child rules depend on the parent ones via the <if_sid> directive.

Since the parent rules (200155, 200157, etc.) haven't been loaded yet, Wazuh throws warnings like:

2025/07/23 12:55:50 wazuh-analysisd: WARNING: (7617): Signature ID '200155' was not found and will be ignored in the 'if_sid' option of rule '100401'.
2025/07/23 12:55:50 wazuh-analysisd: WARNING: (7619): Empty 'if_sid' value. Rule '100401' will be ignored.
2025/07/23 12:55:50 wazuh-analysisd: WARNING: (7617): Signature ID '200155' was not found and will be ignored in the 'if_sid' option of rule '100402'.
2025/07/23 12:55:50 wazuh-analysisd: WARNING: (7619): Empty 'if_sid' value. Rule '100402' will be ignored.
2025/07/23 12:55:50 wazuh-analysisd: WARNING: (7617): Signature ID '200155' was not found and will be ignored in the 'if_sid' option of rule '100403'.
2025/07/23 12:55:50 wazuh-analysisd: WARNING: (7619): Empty 'if_sid' value. Rule '100403' will be ignored.
2025/07/23 12:55:50 wazuh-analysisd: WARNING: (7617): Signature ID '200157' was not found and will be ignored in the 'if_sid' option of rule '100404'.
2025/07/23 12:55:50 wazuh-analysisd: WARNING: (7619): Empty 'if_sid' value. Rule '100404' will be ignored.
2025/07/23 12:55:50 wazuh-analysisd: WARNING: (7617): Signature ID '200155' was not found and will be ignored in the 'if_sid' option of rule '100405'.

These warnings mean the rule dependencies were not found, so the child rules are skipped entirely.

🧪 Steps to Reproduce

Follow only the Detection Rules section in the blog.

Save:

• Rules 200150–200202 in sysmonforlinux_rule.xml

• Rules 100401–100405 in local_rules.xml

Run:

/var/ossec/bin/wazuh-analysisd -t

Observe the warning output.

🛠 How to Fix

To resolve this issue, do not place the child rules (100401–100405) in local_rules.xml. Instead, append them to the bottom of the sysmonforlinux_rule.xml file. This ensures:

Parent rules are defined first.

Dependent child rules are loaded afterward, in the correct order.

This respects the top-to-bottom rule evaluation Wazuh expects and avoids missing dependency warnings during rule testing.

You can test rule loading with:

/var/ossec/bin/wazuh-analysisd -t

If all dependencies are resolved correctly, no warnings will be shown.

✅ Updated Rule Structure (Recommended)

All rules — both parent and child — should be stored together in the sysmonforlinux_rule.xml file. Below is a complete working structure for reference.

<group name="linux,sysmon,">

  <rule id="200150" level="1">
    <decoded_as>sysmon-linux</decoded_as>
    <field name="system.eventId">\.+</field>
    <options>no_full_log</options>
    <description>Sysmon For Linux Event</description>
    <mitre>
      <id>T1204</id>
    </mitre>
    <group>sysmon_event</group>
  </rule>

<!--EventID = 1-->
  <rule id="200151" level="1">
    <if_sid>200150</if_sid>
    <field name="system.eventId">^1$</field>
    <options>no_full_log</options>
    <description>Sysmon - Event 1: Process creation $(eventdata.image)</description>
    <mitre>
      <id>T1204</id>
    </mitre>
    <group>sysmon_event1</group>
  </rule>

<!--EventID = 3-->
  <rule id="200152" level="1">
    <if_sid>200150</if_sid>
    <field name="system.eventId">^3$</field>
    <options>no_full_log</options>
    <description>Sysmon - Event 3: Network connection by $(eventdata.image)</description>
    <group>sysmon_event3</group>
  </rule>

<!--EventID = 5-->
  <rule id="200153" level="1">
    <if_sid>200150</if_sid>
    <field name="system.eventId">^5$</field>
    <options>no_full_log</options>
    <description>Sysmon - Event 5: Process terminated $(eventdata.image)</description>
    <mitre>
      <id>T1204</id>
    </mitre>
    <group>sysmon_event5</group>
  </rule>

<!--EventID = 9-->
  <rule id="200154" level="1">
    <if_sid>200150</if_sid>
    <field name="system.eventId">^9$</field>
    <options>no_full_log</options>
    <description>Sysmon - Event 9: Raw Access Read by $(eventdata.image)</description>
    <mitre>
      <id>T1204</id>
    </mitre>
    <group>sysmon_event9</group>
  </rule>

<!--EventID = 11-->
  <rule id="200155" level="1">
    <if_sid>200150</if_sid>
    <field name="system.eventId">^11$</field>
    <options>no_full_log</options>
    <description>Sysmon - Event 11: FileCreate by $(eventdata.image)</description>
    <group>sysmon_event_11</group>
  </rule>

<!--EventID = 16-->
  <rule id="200156" level="1">
    <if_sid>200150</if_sid>
    <field name="system.eventId">^16$</field>
    <options>no_full_log</options>
    <description>Sysmon - Event 16: Sysmon config state changed $(Event.EventData.Data.Configuration)</description>
    <mitre>
      <id>T1562</id>
    </mitre>
    <group>sysmon_event_16</group>
  </rule>

<!--EventID = 23-->
  <rule id="200157" level="1">
    <if_sid>200150</if_sid>
    <field name="system.eventId">^23$</field>
    <options>no_full_log</options>
    <description>Sysmon - Event 23: FileDelete (A file delete was detected) by $(eventdata.image)</description>
    <mitre>
      <id>T1485</id>
    </mitre>
    <group>sysmon_event_23</group>
  </rule>
  
<!--Overrides-->
<!--EventID = 3. No alerts for events if Image = /var/ossec/bin/wazuh-agentd-->
  <rule id="200200" level="1">
    <if_sid>200152</if_sid>
    <field name="eventdata.image">wazuh-agentd$</field>
    <options>no_full_log</options>
    <description>Sysmon - Event 3: Network connection by $(eventdata.image)</description>
    <group>sysmon_event3</group>
  </rule>

<!--EventID = 11. No alerts for events if Image = /var/ossec/bin/wazuh-agentd-->
  <rule id="200201" level="1">
    <if_sid>200155</if_sid>
    <field name="eventdata.image">wazuh-agentd$</field>
    <options>no_full_log</options>
    <description>Sysmon - Event 11: FileCreate by $(eventdata.image)</description>
    <group>sysmon_event_11</group>
  </rule>

<!--EventID = 23. No alerts for events if Image = /var/ossec/bin/wazuh-agentd-->
  <rule id="200202" level="1">
    <if_sid>200157</if_sid>
    <field name="eventdata.image">wazuh-agentd$</field>
    <options>no_full_log</options>
    <description>Sysmon - Event 23: FileDelete (A file delete was detected) by $(eventdata.image)</description>
    <mitre>
      <id>T1485</id>
    </mitre>
    <group>sysmon_event_23</group>
  </rule>

</group>

<group name="autocolor, malware,">

 <!-- Post malware execution -->
  <rule id="100401" level="12" frequency="2" ignore="120">
    <if_sid>200155</if_sid>
    <field name="eventdata.Image" type="pcre2">(?i).elf</field>
    <field name="eventdata.targetFilename" type="pcre2">\/var\/log\/cross\/auto-color</field>
    <description>Auto-color malware duplicates itself as $(eventdata.targetFilename).</description>
    <mitre>
      <id>T1036.005</id>
      <id>T1059</id>
    </mitre>
  </rule>


  <rule id="100402" level="12" frequency="2" ignore="120">
    <if_sid>200155</if_sid>
    <field name="eventdata.Image" type="pcre2">(?i).elf</field>
    <field name="eventdata.targetFilename" type="pcre2">\/usr\/lib\/[^\/]+\/libcext\.so\.2</field>
    <description>Auto-color malware created file $(eventdata.TargetFilename) to enable malicious library hooking of libc functions.</description>
    <mitre>
      <id>T1574.006</id>
      <id>T1036.005</id>
    </mitre>
  </rule>


  <rule id="100403" level="12" frequency="2" ignore="120">
    <if_sid>200155</if_sid>
    <field name="eventdata.Image" type="pcre2">(?i).elf</field>
    <field name="eventdata.targetFilename" type="pcre2">\/etc\/ld\.so\.preload</field>
    <description>Auto-color malware created file $(eventdata.targetFilename) to load a malicious library for persistence and libc function hooking.</description>
    <mitre>
      <id>T1574.006</id>
      <id>T1546.015</id>
      <id>T1098</id>
    </mitre>
  </rule>


    <!-- Rule for File Deletion (Event ID 23)-->
  <rule id="100404" level="12" frequency="2" ignore="120">
    <if_sid>200157</if_sid>
    <field name="eventdata.Image" type="pcre2">(?i).elf</field>
    <field name="eventdata.targetFilename" type="pcre2">(?i).elf</field>
    <description>Possible Auto-color malware behavior: deletes its original $(eventdata.targetFilename).</description>
    <mitre>
      <id>T1070.004</id>
    </mitre>
  </rule>


  <!-- Rule for File Creation /var/log/cross/config-err-* -->
  <rule id="100405" level="12" frequency="2" ignore="120">
    <if_sid>200155</if_sid>
    <field name="eventdata.Image" type="pcre2">(?i).elf</field>
    <field name="eventdata.targetFilename" type="pcre2">\/var\/log\/cross\/(?:.*\/)?config-err-.+</field>
    <description>Auto-color malware created file $(eventdata.targetFilename) to facilitate enecrypted C2 communication.</description>
    <mitre>
      <id>T1071.001</id>
      <id>T1008</id>
      <id>T1568</id>
    </mitre>
  </rule>


</group>

🛠 Related Issue:

GitHub Community Discussion:: https://github.com/wazuh/community/issues/53770

[thecotilking]

Issue Tested and fixed!

No errors after running:

/var/ossec/bin/wazuh-analysisd -t

Dashboard alerts shown.

Blog post updated! ✅