Wazuh IDS IPS and WAF

4,434 views
Skip to first unread message

bujang kasep

unread,
Aug 11, 2020, 6:44:22 AM8/11/20
to wa...@googlegroups.com
I want to ask if you can detech ids or ips and waf in Wazuh?

David Fernández Miranda

unread,
Aug 11, 2020, 9:14:33 AM8/11/20
to Wazuh mailing list
Hello! 

Yes, Wazuh is a Host Intrusion Detection System. It can be considered as an IDS and an IPS capable of monitoring WAF.
  • IDS: Wazuh agent runs at a host-level, combining anomaly and signature-based technologies to detect intrusions or software misuse. It can also be used to monitor user activities, assess system configuration and, detect vulnerabilities.
  • IPS: Wazuh agents scan the monitored systems looking for malware, rootkits, and suspicious anomalies. They can detect hidden files, cloaked processes, or unregistered network listeners, as well as inconsistencies in system call responses. In addition to agent capabilities, the server component uses a signature-based approach to intrusion detection, using its regular expression engine to analyze collected log data and look for indicators of compromise. Wazuh can also perform countermeasures to address active threats, such as blocking access to an agent from the threat source when certain criteria are met.
  • WAFs: Wazuh can monitor WAFs using logcollector and its pre-build in rules, for example for Apache and AWS among others.
Here you will find a list of all the Wazuh capabilities https://documentation.wazuh.com/3.13/user-manual/capabilities/index.html

In case of having any more doubts, please do not hesitate to ask.

Regards,

David

bujang kasep

unread,
Aug 11, 2020, 9:19:11 AM8/11/20
to David Fernández Miranda, Wazuh mailing list
Oke 

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cc5adb05-c6f6-4e87-b365-7276131f6299n%40googlegroups.com.

bujang kasep

unread,
Aug 11, 2020, 9:25:15 AM8/11/20
to David Fernández Miranda, Wazuh mailing list
Hello mr.David

is it possible to block attacks in Wazuh via HIDS or can it only monitor ids ips

David Fernández Miranda

unread,
Aug 11, 2020, 10:20:38 AM8/11/20
to Wazuh mailing list

Yes! You can use the active response capability to run a command when a certain rule is triggered. In this blog post, you will find useful information to block attacks using the active response: https://wazuh.com/blog/blocking-attacks-active-response/

If you have any more doubts, do not hesitate to ask.

Regards,

David
Reply all
Reply to author
Forward
0 new messages