Re: SURICATA IPS
182 views
Skip to first unread message
Message has been deleted
Allan Patrick
Feb 22, 2023, 10:52:30 AM2/22/23
to Wazuh mailing list
hello, I recommend installing suricata on the client and within ossec.conf insert the configuration:
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>
On wazuh server customize your rules to block what you need.
Em 22/02/2023 11:46, Valton T.
escreveu:
Hi,
How to set Suricata in IPS mode and block these requests , wanted to do smth about that blocks SQL injection or XSS in real time not just alert them using wazuh. If u have any idea please send me
thanks--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2a76720a-f472-4581-af0d-96e4dbce9d1en%40googlegroups.com.
Message has been deleted
Allan Patrick
Feb 22, 2023, 11:00:30 AM2/22/23
to Wazuh mailing list
View the logs on the client with the command:
tail -f /var/ossec/logs/active-responses.log
In Wazuh-Server customize your rules to generate a blocking level.
https://documentation.wazuh.com/current/user-manual/capabilities/active-response/how-it-works.html
In some cases it is necessary to adjust the decoders, in the wazuh
server local_decoder.xml adjust:
<decoder name="json-child">
<parent>json</parent>
<plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>
<decoder name="json-child">
<parent>json</parent>
<regex>"src_ip":"(\S+)"</regex>
<order>srcip</order>
</decoder>
Em 22/02/2023 12:54, Valton T. escreveu:
> Hi yes
>
> Already seeing alerts in Dashboard but it isnt blocking those
> attackers IP addreses
>
> Alerting is working great!
> Thanks
tail -f /var/ossec/logs/active-responses.log
In Wazuh-Server customize your rules to generate a blocking level.
https://documentation.wazuh.com/current/user-manual/capabilities/active-response/how-it-works.html
In some cases it is necessary to adjust the decoders, in the wazuh
server local_decoder.xml adjust:
<decoder name="json-child">
<parent>json</parent>
<plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>
<decoder name="json-child">
<parent>json</parent>
<regex>"src_ip":"(\S+)"</regex>
<order>srcip</order>
</decoder>
Em 22/02/2023 12:54, Valton T. escreveu:
> Hi yes
>
> Already seeing alerts in Dashboard but it isnt blocking those
> attackers IP addreses
>
> Alerting is working great!
> Thanks
Message has been deleted
Geoff Nordli
Mar 5, 2023, 12:45:08 PM3/5/23
to Wazuh mailing list
Hi.
Did you implement the active response?
I think Allan is suggesting you use that with the firewall drop
rule like this:
Geoff
On 2023-02-27 06:32, Valton T. wrote:
Hi i did add this before and i did it again
still suricata wont prevent anything . even that it alerts those that need. but it doesnt prevent it .
Thanks
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d1f2c0c0-a9f8-4274-99e5-0765d6d690afn%40googlegroups.com.
Allan Patrick
Mar 6, 2023, 6:57:09 AM3/6/23
to Wazuh mailing list
I recommend evaluating the additional protection modules:
mod_security and its rules
https://github.com/SpiderLabs/ModSecurity
mod_evasive
cloudflare waf for example
and pen-test scanner for application vulnerabilities.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0339da2a-c8f2-3e91-0d94-946216fe7326%40gnaa.net.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages