MAC ADDRESS BLACKLISTING/WHITELISTING

[Ajay Gandikota]

Is it possible to blacklist or whitelist the mac addresses . If possible can i get to know how to achieve it .

[Md. Nazmur Sakib]

Hi Ajay Gandikota

Hope you are doing well. Thank you for using Wazuh.

You can use the CDB lists option as a whitelist of blacklists for Mac addresses.

Check the document for details 

https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html

the CDB list has the following format:

key:value

The rule-matching procedure uses the key to compare with the selected field. In your case, the correct format should be:

"AA:BB:CC:XX:XX:XX":mac01

Note that you need to add quotation marks because the MAC address contains the colon character which is used in the CDB list.

I hope this helps. Let me know if you need any further information.

Regards

Md. Nazmur Sakib

[Ajay Gandikota]

I have checked this method but I think it is only applicable for syslog devices . But I need perform this as per agents Mac instead of syslog

[Md. Nazmur Sakib]

Hi Ajay

The reason behind this is the mac addresses field is not mapped with the logs of the agents log. If the mac address is present in the agent's log and the address is decoded, that can be used to match with the CDB list. 

The logic of CDB list is you can use it to match with any field of the alert to trigger an alert based on it. For agents you need to use the IP address. If you have issue with changing the ip address frequently, you can also use ip subnet.

I hope you find this information helpful.

Regards

Md. Nazmur Sakib