sanwieb / sigwah Goto Github PK

Hi,

I really like your work on this and have already started putting it to fruitful use. I did find that when I bolt these rules onto the stock Wazuh ruleset, that the internal rule count sky rockets to over 200,000 rules, about 50 times bigger than normal. This pushes Wazuh's memory requirements for analysisd (which loads the ruleset) up to over 2GB and makes ruleset load time go from very quick to around 10 seconds, delaying ossec-logtest and wazuh-manager service restarts. Other than the memory demands and the slow ruleset loading, it seems to be working fine. I was discussing this with Wazuh's head developer this morning and he discourages heavy use of <if_group> because

<if_group> is a shortcut to create N rules with <if_sid> for each existing rule belonging that group.

This issue is amplified with <if_group>windows</if_group> specifically because there are so very many rules in the windows group. It would be ideal if these Sigma-related Wazuh rules could be hung off of the specific Wazuh parent rules relevant to them using the <if_sid> construct instead of <if_group> but that may make automatic generation of Wazuh rules based off of the Sigma ruleset much more difficult. Still, it would give vastly more than an order of magnitude analysisd memory reduction and Wazuh ruleset load speed.

What do you think?
Kevin