fix A2/A3 rule OR-trap: replace multi-<match> with single <regex> lookaheads

Root cause: multiple <match> elements in a Wazuh rule are ORed, not ANDed.
Rule 110311 (A2-01 RDP allowed) matched every FortiGate traffic log (~5M
hits/day) because type=traffic OR action=accept is almost always true.

Fixes:
- 110311: single pcre2 regex (?=.*dstport=3389)(?=.*action=accept) to
  require BOTH dstport=3389 AND action=accept in same raw log.
  Note: dstport/action are Wazuh static fields — <field> tag rejected;
  PCRE2 lookaheads in <regex> are the correct AND mechanism.
- 110320: single pcre2 regex for type=traffic AND threat_label=known-c2.
- 110331: pcre2 regex for ssl-login-success AND user=guest (AND fix).
- 110332: pcre2 regex for ssl-login-success AND previous_country=.
- 110333: pcre2 regex for ssl-login-success AND failed_attempts_before_success=.

Verified with wazuh-logtest: dstport=3389+accept fires 110311; dstport=161
only fires parent 81618.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a2-fortigate-fw-rules.xml

@@ -29,14 +29,14 @@
 
   <!-- A2-01: RDP traffic allowed through firewall
        Parent: 81603 (FortiGate base — NOT 81618 to avoid 3-level chain depth limit)
-       81618 uses if_sid=81603; chaining from 81618 creates a 3-level chain that
-       Wazuh 4.x does not evaluate. Use sibling pattern: if_sid=81603 + type=traffic.
-       Real data: dstport=3389, action="accept" confirmed in archives -->
+       Fix 2026-03-22: replaced multiple <match> (ORed) with single <regex> (AND).
+       Multiple <match> elements in Wazuh fire if ANY one matches — old rule
+       matched every traffic log via type=traffic or action=accept (~5M hits/day).
+       dstport/action are static Wazuh fields — cannot use <field>; use PCRE2
+       lookaheads in a single <regex> to require BOTH conditions in the raw log. -->
   <rule id="110311" level="12">
     <if_sid>81603</if_sid>
-    <match>type="traffic"|type=traffic</match>
-    <match>dstport=3389</match>
-    <match>action="accept"|action=accept</match>
+    <regex type="pcre2">(?=.*\bdstport=3389\b)(?=.*\baction="?accept"?)</regex>
     <description>A2-01 [PROD] FortiGate: RDP (3389) traffic allowed</description>
     <group>soc_prod,a2,rdp,</group>
     <mitre><id>T1021.001</id></mitre>
@@ -126,11 +126,13 @@
   </rule>
 
   <!-- A2-10: Traffic to known C2/malicious IP
-       Parent: 81603 (FortiGate base — sibling pattern, same fix as 110311) -->
+       Parent: 81603 (FortiGate base — sibling pattern, same fix as 110311)
+       Fix 2026-03-22: single <regex> with PCRE2 lookaheads ANDs both conditions.
+       threat_label is not extracted by Wazuh's built-in FortiGate decoder so
+       raw log matching via regex is required. -->
   <rule id="110320" level="8">
     <if_sid>81603</if_sid>
-    <match>type="traffic"|type=traffic</match>
-    <match>threat_label="known-c2"|threat_label=known-c2</match>
+    <regex type="pcre2">(?=.*\btype="?traffic"?)(?=.*threat_label="?known-c2"?)</regex>
     <description>A2-10 [PROD] FortiGate: traffic to known C2/malicious IP allowed</description>
     <group>soc_prod,a2,ioc,c2,</group>
     <mitre><id>T1071.001</id></mitre>

wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a3-fortigate-vpn-rules.xml

@@ -22,16 +22,19 @@
 
   Fix history:
     2026-03-19: Changed if_group=fortigate → if_sid; adapted A3-05 for IPsec tunnel-up
+    2026-03-22: 110331-110333 — replaced dual <match> (ORed) with single <regex> (both
+                conditions ANDed in one expression) to prevent false-positives when
+                SSL-VPN is enabled.
 -->
 <group name="soc_mvp,appendix_a,a3,vpn,fortigate,">
 
   <!-- A3-01: VPN authentication success by guest account (SSL-VPN)
        Requires SSL-VPN to be enabled on FortiGate.
-       Parent: 81603 (generic base — ssl-login-success is in the raw log) -->
+       Parent: 81603 (generic base — ssl-login-success is in the raw log)
+       Single <regex> ANDs both conditions (dual <match> would be ORed). -->
   <rule id="110331" level="12">
     <if_sid>81603</if_sid>
-    <match>ssl-login-success</match>
-    <match>user="guest"|user=guest</match>
+    <regex type="pcre2">ssl-login-success.*user="?guest"?</regex>
     <description>A3-01 [PROD] SSL-VPN: authentication success by guest account</description>
     <group>soc_prod,a3,vpn_guest,</group>
     <mitre><id>T1078.001</id></mitre>
@@ -41,8 +44,7 @@
        Requires SSL-VPN and FortiGate geo-login tracking -->
   <rule id="110332" level="12">
     <if_sid>81603</if_sid>
-    <match>ssl-login-success</match>
-    <match>previous_country=</match>
+    <regex type="pcre2">ssl-login-success.*previous_country=</regex>
     <description>A3-02 [PROD] SSL-VPN: success from different country than last login</description>
     <group>soc_prod,a3,vpn_geo,</group>
     <mitre><id>T1078</id></mitre>
@@ -52,8 +54,7 @@
        Requires SSL-VPN -->
   <rule id="110333" level="12">
     <if_sid>81603</if_sid>
-    <match>ssl-login-success</match>
-    <match>failed_attempts_before_success=</match>
+    <regex type="pcre2">ssl-login-success.*failed_attempts_before_success=</regex>
     <description>A3-03 [PROD] SSL-VPN: success after multiple prior failures (brute-force indicator)</description>
     <group>soc_prod,a3,vpn_bruteforce,</group>
     <mitre><id>T1110.001</id></mitre>