Geolocation detection anomaly: how to fix it?
246 views
Skip to first unread message
mauro....@cmcc.it
Jun 9, 2023, 4:15:16 PM6/9/23
to Wazuh mailing list
Dear Users,
during a penetration test, I noticed the source public IP I was using is not correctly detected by the Geolocator.
I tried to check the source IP location using https://www.iplocation.net/ip-lookup website and … surprise!
The same IP address seems to be detected in different italian areas by the different geolocators shown in the web page mentioned above. The wrong one is Milan
Geolocation data from DB-IP gives the wrong answer (Milan)
Geolocation data from IP2Location gives the right answer (because I know where is located the srcip public iP :-) )
Question: is there a way to change the geolocator used by Wazuh?
The same IP address seems to be detected in different italian areas by the different geolocators shown in the web page mentioned above. The wrong one is Milan
Geolocation data from DB-IP gives the wrong answer (Milan)
Geolocation data from IP2Location gives the right answer (because I know where is located the srcip public iP :-) )
Question: is there a way to change the geolocator used by Wazuh?
Sebastian Dario Bustos
Jun 9, 2023, 9:23:08 PM6/9/23
to Wazuh mailing list
Hi Mauro,
Thank you for using Wazuh!!!
Thank you for using Wazuh!!!
I'll investigate this further and let you know.
Regards.
Mauro Tridici
Jun 10, 2023, 2:35:17 AM6/10/23
to Sebastian Dario Bustos, Wazuh mailing list, Osvaldo Marra
Hi Sebastian,
Thank you for taking care of my case.
Have a great day.
Mauro
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/XxB9kWMqv1o/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8860d436-6ca1-4bdd-a6b3-dbcaead646e9n%40googlegroups.com.
Mauro Tridici
Jun 14, 2023, 8:39:37 AM6/14/23
to Sebastian Dario Bustos, Wazuh mailing list
Hello Sebastian,
I’m sorry to disturb you again, but I only would like to know if you had the time to identify a solution for my case.
Many thanks again.
Have a great day,
Mauro
Sebastian Dario Bustos
Jul 25, 2023, 6:17:36 PM7/25/23
to Wazuh mailing list
Hello Mauro,
Unfortunately this change is only possible with just a configuration since the integration with GeoIP is coded in wazuh-analysisd: decoder.c. We can only change the provider by implementing a new integration in the code.
On the other hand, if this is not a data you need to catch / analyze with the rules but just to increase the amount of data shown on the Dashboard alert you can check this:
Let me know.
Regards.
Mauro Tridici
Jul 26, 2023, 3:35:29 AM7/26/23
to Sebastian Dario Bustos, Wazuh mailing list
Hello Sebastian,
many thanks for your help and for the time you spent for my case.
Anyway John Soliani provided me a workaround to fix my issue.
You can find the instructions here: https://groups.google.com/g/wazuh/c/PYOjFtZ6K9o/m/pSpw-QHiAAAJ
Have a great day.
Regards,
Mauro
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b147a99b-64cf-4f19-978d-6ab95191bc71n%40googlegroups.com.
Sebastian Dario Bustos
Jul 28, 2023, 5:48:23 PM7/28/23
to Wazuh mailing list
Hi Mauro,
Oh, ok, yes, to update it, ok, glad it worked!
Reply all
Reply to author
Forward
0 new messages