check outbound web traffic of an agent

[maha]

Hi Team,

is there a way to check out bound traffic of an agent.

or is there a way to check if an agent is making connection to a particular IP or domain.

I'm new to wazuh.

Thank you.

[Md. Nazmur Sakib]

Hi Maha,

Hope you are doing well. Thank you for using wazuh.

Wazuh can be integrated with other open-source network intrusion detection system

tools like Suricata. Suricata can provide additional insights into your network's security with its network traffic inspection capabilities.

Check this document for Network IDS integration 

https://documentation.wazuh.com/current/proof-of-concept-guide/integrate-network-ids-suricata.html

Also, check this document for responding to network attacks with Suricata and Wazuh XDR:

https://wazuh.com/blog/responding-to-network-attacks-with-suricata-and-wazuh-xdr/

Also, check command monitoring capabilities in Wazuh. With command monitoring capability Wazuh incorporates the ability to monitor the output of specific commands and treat the output as though it were log file content.

For Example:

After adding the below to ossec.conf file

<localfile>

    <log_format>full_command</log_format>

    <command>netstat -nputw</command>

    <alias>netstat outbound connections</alias>

    <frequency>30</frequency>

</localfile>

And create a custom rule on the Wazuh server to generate an alert

<rule id="100002" level="7">

    <if_sid>530</if_sid>

    <match>ossec: output: 'netstat outbound connections</match>

    <check_diff />

    <description>Listened ports status (netstat nputw) changed (new port opened or closed).</description>

    <group>pci_dss_10.2.7,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,</group>

</rule>

Check this document to learn more:

https://documentation.wazuh.com/current/user-manual/capabilities/command-monitoring/index.html

Please test your configuration in the test environment before deploying it to production.

I hope this answers your questions. Please let me know if you need any further information or help regarding this.

Regards

[maha]

Hi,

Nazmur

Thank you for the reply.

[maha]

Hi,

Nazmur

i have an another question.

i want to analyze firewall logs in wazuh and check them to an list of IP address if and get an alert if they are making connection to any ip specified in the list.

Thank you.

[suricata]

Hí,

Apart from what Maha advises you, you can add an IDS sensor like Suricata. If you put it in a point on your network that reads all the traffic, and, depending on the rules you have active, you can see all the information based on alerts in Wazuh. Also DNS traffic, etc. In my case, I have a SELKS with a wazuh agent in the network trunk and I see everything in the Dashboard.

Also the integration with Maltrail is very interesting.

Regards,

[maha]

Hi,

Thank you. 

This is really helpful for me. Thank you for the information.

Regards,

maha

[Md. Nazmur Sakib]

Hi Maha,

Hope you are doing well. Sorry for the late response.

The Wazuh server can collect logs via syslog from endpoints such as firewalls, switches, routers, and other devices that don’t support the installation of Wazuh agents. Configure syslog forwarding for your firewall.

Check this documentation to learn more about Configuring Syslog on the Wazuh server:

https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html#configuring-syslog-on-the-wazuh-server

Once your logs are forwarded to the Wazuh manager you need to write some custom rules and decoder if your firewall log does not generate alerts on the dashboard or you need alerts for some specific conditions.

Check this document to learn more about custom decoders and rules.

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

I hope this helps.

Regards 

[maha]

Hi,

Nazmur.

Thank you. This helps me a lot.

Regards.

Maha