how to enable GeoIp for alert generated by custom rules in Wazuh 4.7.3
1,704 views
Skip to first unread message
mauro....@cmcc.it
Mar 26, 2024, 5:55:25 AM3/26/24
to Wazuh | Mailing List
Dear Users,
recently I created a custom decoder and related rules and they work as expected now (thanks to Wazuh support).
Now, I would like to add GeoIp information for each srcip filed captured by the rules.
Could you please help me to achieve this goal?
Please note that Wazuh v.4.7.3 has been installed using quick installation bash script and i can't start from beginning compiling the source code.
Is there any way to enable the GeoIp info in a simpler way?
Thank you in advance,
Mauro
Sebastian Falcone
Mar 26, 2024, 6:24:30 AM3/26/24
to Wazuh | Mailing List
Hello, how are you doing?
Unfortunately, it's the only way. Installing from sources will perform an upgrade over your existing environment so it should be straightforward
Here you can find the documentation on how to install by sources:
Unfortunately, it's the only way. Installing from sources will perform an upgrade over your existing environment so it should be straightforward
Here you can find the documentation on how to install by sources:
And here the options for the makefile (including the geoIp flag):
mauro....@cmcc.it
Mar 26, 2024, 6:52:55 AM3/26/24
to Wazuh | Mailing List
Good morning Sebastian,
many thanks for your very fast reply. I'm really fine, thanks. I hope that you are doing well :)
I would like to do some questions before starting with the manual update:
0) I just tried to install the needed packages but I received this error:
0) I just tried to install the needed packages but I received this error:
apt-get install python gcc g++ make libc6-dev curl policycoreutils automake autoconf libtool libssl-dev
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Package python is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
2to3 python2-minimal python2 dh-python python-is-python3
E: Package 'python' has no installation candidate
2) everything else will be preserved?
Thank you in advance,
Mauro
mauro....@cmcc.it
Mar 26, 2024, 10:06:45 AM3/26/24
to Wazuh | Mailing List
Hi Sebastian,
this is to inform you that I found the way to successfully complete the update of the manager (only the manager) from source.
Now I can see the GeoIP info in the Wazuh "security events" dashboard (as you can see from the attached picture).
So, we can say that it is almost done. I only need to add some GeoIP information about the City (now, I can see only the Country).
So, we can say that it is almost done. I only need to add some GeoIP information about the City (now, I can see only the Country).
Is there anything I can do to have also this information in the security events page?
Thank you in advance,
Mauro
Sebastian Falcone
Mar 27, 2024, 5:09:50 AM3/27/24
to Wazuh | Mailing List
> many thanks for your very fast reply. I'm really fine, thanks. I hope that you are doing well :)
Doing great here! Glad to know you are goodGiven that you solved the installation process let's see about your other inquire
I was checking the template we use for the indexing of events (/etc/filebeat/wazuh-template.json) and the city name should be indexed, can we check the json format and see the fields in it?
Sebastian Falcone
Mar 27, 2024, 5:10:31 AM3/27/24
to Wazuh | Mailing List
The field is under GeoLocation -> city_name
cat wazuh-template.json | grep city
"GeoLocation.city_name",
"city_name": {
cat wazuh-template.json | grep city
"GeoLocation.city_name",
"city_name": {
mauro....@cmcc.it
Mar 27, 2024, 5:30:04 AM3/27/24
to Wazuh | Mailing List
Good morning Sebastian,
many thanks for your reply.
This is the output of the "cat" command:
cat /etc/filebeat/wazuh-template.json|grep city
"GeoLocation.city_name",
"city_name": {
I would like to inform that I added these lines to local_internal_options.xml file:
analysisd.geoip_jsonout=1
maild.geoip=1
I noticed that now for some particular alert I can see the city field:
But some city field doesn't reflect the real location (there are some well known IPs locations that dont' match with the real location).
I already tried to update the MaxMind Geolite DB, but without any interesting change.
Anyway, it seems that the last issue seems to be partially solved. I can have the city field, but it is not the right value (in some cases).
Thank you in advance for your help.
Mauro
Hatem
Mar 29, 2024, 1:31:48 AM3/29/24
to mauro....@cmcc.it, Wazuh | Mailing List
Mauro
Here everyone share knowledge.
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cd753877-f6b2-43ed-9ef3-012be7b23a7dn%40googlegroups.com.
mauro....@cmcc.it
Mar 29, 2024, 12:34:51 PM3/29/24
to Wazuh | Mailing List
Hi Hatem,
in order to provided you the info you need, I should parse every case I created here in the community, I should re-read and summarizing them (there are cases about the decoders, rules, fixes, ossec.conf and so on...). Unfortunately, I don't have the time to do it now.
All the information you need, all the cases I created are there, they are not hidden, they are shared. When I need to solve a problem, I take a look at the cases of other users and if I don't understand (I'm still a newbie) I open a case by myself.
Official documentation, you own searches, wazuh guys and existing cases will help you for sure.
Why don't you open a case as I did? Wazuh guys are very kind and professional?
Please, stop to ask me to share the steps for GeoIP. The steps you need are here, in the cases I created.
If you need to summarize them, it's up to you.
In any case, you can start from here:
In order to have GeoIp info in your custom rule, it is necessary to install wazuh from sources and then compile it with TARGET=server USE_GEOIP=yes.
yum install make cmake gcc gcc-c++ python3 python3-policycoreutils automake autoconf libtool curl -Ls https://github.com/wazuh/wazuh/archive/v4.1.5.tar.gz | tar zx cd wazuh-* cd src make deps make TARGET=server USE_GEOIP=yes cd ../ ./install.shThen you will need to add a database with the GeoIP information, you can see how it's done here: https://github.com/wazuh/wazuh/issues/4053#issuecomment-541069384
Finally, you will need to configure the email and wazuh as you got it before. Remember to add at /var/ossec/etc/local_internal_options.conf:
And in /var/ossec/etc/ossec.conf you will need to add:
<global> ... ... <geoipdb>/var/ossec/etc/GeoIP.dat</geoipdb> </global> <alerts> ... ... <use_geoip>yes</use_geoip> </alerts>Regards.
Message has been deleted
Sebastian Falcone
Apr 5, 2024, 6:21:58 AM4/5/24
to Wazuh | Mailing List
Hello Mauro, my answer got deleted unfortunately
Maybe you should submit data corrections to MaxMind itself https://www.maxmind.com/en/geoip-data-correction-request, we are using their database as a resource so its on their side
Maybe you should submit data corrections to MaxMind itself https://www.maxmind.com/en/geoip-data-correction-request, we are using their database as a resource so its on their side
Sebastian Falcone
Apr 8, 2024, 3:42:31 AM4/8/24
to Wazuh | Mailing List
Hello Mauro
From what I was able to investigate you must go to this page (https://www.maxmind.com/en/geoip-location-correction) and upload the correction for the IP (or IP ranges) that you found
From what I was able to investigate you must go to this page (https://www.maxmind.com/en/geoip-location-correction) and upload the correction for the IP (or IP ranges) that you found
Reply all
Reply to author
Forward
0 new messages