GEOIP with Ubuntu

682 views
Skip to first unread message

Brad Whitmoyer

unread,
Mar 14, 2024, 1:23:16 PM3/14/24
to Wazuh | Mailing List
Does anyone know of or have a good guide for enabling GEOIP so I can write decoders and rules for location alerts? 

Nicolas Curioni

unread,
Mar 14, 2024, 3:28:05 PM3/14/24
to Brad Whitmoyer, Wazuh | Mailing List

Hello Brad,

Thanks for using Wazuh and sharing your doubts with the community!

Regarding this, I’ll ask you just a little clarification. Do you need to use the GeoIP fields extracted to trigger some alerts?

If this is the case, let me give you some information about this, and how is the process that Wazuh follows to collect and process the information.

The Wazuh agent collects information from the host it is monitoring. This information can be log files that are being monitored by the logcollector module on the agent. Once a new log is added to the log file, the agent captures said log, and sends it to the Wazuh-Manager.

The Wazuh-Manager receives the logs the agents send and process them with the Analysis engine (Decoders, Rules, CDB Lists) trying to extract information of the log and use that information to match the criteria of a Rule. If a rule is found and its level is 3 or higher (default customizable threshold), an alert is generated for that rule, and it contains the Description, the level and ID of said rule, along with all the information that was extracted (decoded) from the original log that the Agent sent. This alert is written to a file called alerts.json.
In the Wazuh server, there is another component called Filebeat. This is an event forwarder that takes the alerts.json file as input and sends the alerts’ information to the Wazuh-Indexer.

The Wazuh-Indexer will process the information and create a document for each alert. A daily index (default) is created with these documents as they arrive. The indexing process allows us to perform searches on the information and using the Wazuh-dashboard we are able to visualize this information and populate different dashboards (the Wazuh modules you can see on the Wazuh app). Here, the indexer enriches these alerts with, for example, Geolocalization information.

That being said, you will not be able to use Geolocation fields to trigger alerts, since this information is added to the alert, after it was triggered and processed.

Here, you have 2 possibilities:
1- Build wazuh with the flag USE_GEOIP=yes.
2- As a workaround, you can enrich the alerts with this information before it’s being processed by the Wazuh-Indexer. For this, you’ll need to use an integration which involves a custom script, in order to get this data from a public API and ingest it in the alert. Here you have some information related to this:

Let me share with you a blog post with a script that perform something similar, but pulling different information:

In your case, you will need a script that performs a call to an API which provides Geolocalization information.

I hope this helps.

Regards!


On Thu, Mar 14, 2024 at 2:23 PM Brad Whitmoyer <brad...@gmail.com> wrote:
Does anyone know of or have a good guide for enabling GEOIP so I can write decoders and rules for location alerts? 

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/324cc4be-5ab6-4b35-9f4f-23d79ab9fdf9n%40googlegroups.com.

Brad Whitmoyer

unread,
Mar 14, 2024, 4:39:56 PM3/14/24
to Wazuh | Mailing List
Hi Nicolas, I do want alerts triggered based on the location. I also think it would be best if I built Wazuh with the USE_GEOIP flag. However, the only guide I can find for this says I need to install a library that isn't available for Ubuntu 

Nicolas Curioni

unread,
Mar 18, 2024, 12:06:13 PM3/18/24
to Wazuh | Mailing List

Hello Brad,

Thanks for your reply.

This process requires a GeoIP database: We support the legacy Maxmind GeoLite format, and the updated and maintained databases use the new GeoLite2 format. It should be converted to the legacy format using an external tool.

Here are the steps to include GeoLite2 database to Wazuh version:

  • Install libgeoip-dev library. i.e. ubuntu: apt install libgeoip-dev

  • Install manager from the source (doc here) but compile it with the USE_GEOIP flag, that is:

    make TARGET=server USE_GEOIP=yes

  • Download the GeoLite2 free databases. It’s necessary to create an account. Choose the City version in CSV format, zipped. Here you can find the link.

  • Download geolite2legacy.py to convert from .CSV to .DAT file (supported by Wazuh).
  • Convert the GeoLite2-City-CSV to DB file. To achieve this, run the following command: ./geolite2legacy.py -i GeoLite2-City-CSV_20220603.zip -f geoname2fips.csv -o GeoIP.dat
  • Copy the converted GeoIP.dat DB inside the Wazuh directory. Execute the following command: cp GeoIP.dat /var/ossec/etc

The following steps are configuration settings.

Enable USE_GEOIP in ossec.conf file:

<global> <geoipdb>/var/ossec/etc/GeoIP.dat</geoipdb> </global> <alerts> <use_geoip>yes</use_geoip> </alerts>

Enable USE_GEOIP in internal_options.conf file:

analysisd.geoip_jsonout=1 maild.geoip=1

Restart Wazuh server and it should run without any ERROR message. At this point the functionality is enabled. Every generated alert that include srcip or dstip field will look for the srcgeoip or dstgeoip information in GeoIP.dat database.
Then, you could create rules using the srcgeoip and dstgeoip fields.

Regards!

Reply all
Reply to author
Forward
0 new messages