When it comes to writing rules and decoders from scratch, have a look at the folder /var/ossec/ruleset where onboard rules and decoders are.
For Maltrail I tried to add decoders and rules here:
https://github.com/wazuh/wazuh/pull/7031
Have a look at the files added and try yourself in /var/ossec/etc/rules and decoders. As you can see now it’s in etc/ and not the root folder as there are configs which can be changed.
First we have our log:
Dec 23 14:55:34 OPNsense.localdomain CEF: 0|Maltrail|sensor|0.26.1|2020-12-23|long domain (suspicious)|0|src=172.24.68.133 spt=55989 dst=8.8.8.8 dpt=53 trail=(q6pmisvlqpgxptq1s6psghvyoqali.uribl).rspamd.com ref=(heuristic)
For this we need a decoder to detect it:
<decoder name="CEF">
<program_name>^CEF</program_name>
</decoder>
<decoder name="CEF">
<parent>CEF</parent>
<regex>(\w+)\|(\w+)\|(\w+)\|(\.+)\|(\d+-\d+-\d+)\|(\.+)\|(\d+)\|src=(\d+.\d+.\d+.\d+) spt=(\.+) dst=(\d+.\d+.\d+.\d+) dpt=(\.+) trail=(\.+) ref=(\.+)</regex>
<order>code, application, type, version, date, category, severity, srcip, srcport, dstip, dstport, trail, ref</order>
</decoder>
And now we can add rules to detect the decoded logs:
</group>
<group name="Maltrail,connection_attempt,">
<rule id="64520" level="0">
<decoded_as>CEF</decoded_as>
<description>Maltrail messages grouped.</description>
</rule>
<rule id="64521" level="3">
<if_sid>64520</if_sid>
<field name="severity">0</field>
<description>Low critical Maltrail event triggered</description>
</rule>
<rule id="64522" level="7">
<if_sid>64520</if_sid>
<field name="severity">1</field>
<description>Medium critical Maltrail event triggered</description>
</rule>
<rule id="64523" level="10">
<if_sid>64520</if_sid>
<field name="severity">2</field>
<description>High critical Maltrail event triggered</description>
</rule>
</group>