Geolocation rules
233 views
Skip to first unread message
George Paun
Feb 21, 2025, 7:54:27 AM2/21/25
to Wazuh | Mailing List
Hi guys,
I trie to make some custome rules where to use goelocation/geoip but didn't find how to use in rules.
I recompiled the wazuh-manager, i put
make TARGET=server USE_GEOIP=yes i put the GeoIP.dat folder(after i downloaded from Geolite 2 ) and i made the steps:
- Enable USE_GEOIP in ossec.conf file:<global> <geoipdb>/var/ossec/etc/GeoIP.dat</geoipdb> </global> <alerts> <use_geoip>yes</use_geoip> </alerts>
- Enable USE_GEOIP in internal_options.conf file:
analysisd.geoip_jsonout=1
maild.geoip=1
Can you show me a rule whick i can trie to use and modify?
I tried the rule but i have syntax error because the field name srcgeoip and i don't know what mistake i did, and how to use srcgeoip in a rule.
<rule id="170005" level="4">
<if_group>authentication_failed|authentication_failures</if_group>
<field name="win.eventdata.targetUserName">\.+</field>
<field name="srcgeoip" type="pcre">^(?!RO|UK)$</field>
<group>Login_fail</group>
<description>failed to log in to $(win.eventdata.targetUserName) from outside Romania</description>
</rule>
<if_group>authentication_failed|authentication_failures</if_group>
<field name="win.eventdata.targetUserName">\.+</field>
<field name="srcgeoip" type="pcre">^(?!RO|UK)$</field>
<group>Login_fail</group>
<description>failed to log in to $(win.eventdata.targetUserName) from outside Romania</description>
</rule>
Thx so much for help,
George
George Paun
Feb 21, 2025, 8:34:49 AM2/21/25
to Wazuh | Mailing List
I tested like this but
the rule still hasn't triggered.
<group>Login_fail</group>
<description>failed to log in to $(win.eventdata.targetUserName) from outside Romania</description>
</rule>
<group>Login_fail</group>
<description>failed to log in to $(win.eventdata.targetUserName) from outside Romania</description>
<rule id="170005" level="4">
<if_group>authentication_failed|authentication_failures</if_group>
<field name="win.eventdata.targetUserName">\.+</field>
<if_group>authentication_failed|authentication_failures</if_group>
<field name="win.eventdata.targetUserName">\.+</field>
<field name="location" negate="yes">^RO$</field>
<group>Login_fail</group>
<description>failed to log in to $(win.eventdata.targetUserName) from outside Romania</description>
</rule>
<rule id="170005" level="4">
<if_group>authentication_failed|authentication_failures</if_group>
<field name="win.eventdata.targetUserName">\.+</field>
<if_group>authentication_failed|authentication_failures</if_group>
<field name="win.eventdata.targetUserName">\.+</field>
<field name="geoip.country_name" negate="yes">^Romania$</field>
<group>Login_fail</group>
<description>failed to log in to $(win.eventdata.targetUserName) from outside Romania</description>
</rule>
How can i make to work?
Federico Gustavo Caffieri
Feb 21, 2025, 11:47:35 AM2/21/25
to Wazuh | Mailing List
Wazuh server has a built-in localization server provided by the GeoIP library.
Refs:
- Makefile options, Available flags [link](https://documentation.wazuh.com/current/development/makefile.html?highlight=use_geoip#available-flags)
- Alerts, use_geoip [link](https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/alerts.html?highlight=use_geoip#use-geoip)
- Rule Syntax, srcgeoip and dstgeoip [link](https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html?highlight=dstgeoip#dstgeoip)
This feature is not enabled by default and not recommended due to its complex approach, meaning users should enable, compile, and package it.
To enable this feature, you must build wazuh with the flag `USE_GEOIP=yes`. It also requires a GeoIP database: We support the legacy Maxmind GeoLite format, and the updated and maintained databases use the new GeoLite2 format. It should be converted to the legacy format using an external tool.
Steps to include GeoLite2 database to the Wazuh version:
- Install libgeoip-dev library. i.e. ubuntu:
```bash
apt install libgeoip-dev
```
- Install manager from the source ([doc here](https://documentation.wazuh.com/current/deployment-options/wazuh-from-sources/wazuh-server/index.html)) but compile it with the USE_GEOIP flag, that is:
make TARGET=server USE_GEOIP=yes
- Download the GeoLite2 free databases, it's necessary to create an account. Choose the City version in CSV format, zipped. [link](https://dev.maxmind.com/geoip/geolite2-free-geolocation-data) .
- Download [geolite2legacy.py](https://github.com/sherpya/geolite2legacy) to convert from .CSV to .DAT file (supported by Wazuh).
- Convert the GeoLite2-City-CSV to a DB file. Command:
./geolite2legacy.py -i GeoLite2-City-CSV_20220603.zip -f geoname2fips.csv -o GeoIP.dat
- Copy the converted GeoIP.dat DB inside the Wazuh directory. Command:
cp GeoIP.dat /var/ossec/etc
The following steps are configuration settings.
- Enable USE_GEOIP in ossec.conf file:
<global>
<geoipdb>/var/ossec/etc/GeoIP.dat</geoipdb>
</global>
<alerts>
<use_geoip>yes</use_geoip>
</alerts>
- Enable USE_GEOIP in internal_options.conf file:
analysisd.geoip_jsonout=1
maild.geoip=1
- Restart the Wazuh server and it should run without any ERROR message. At this point the functionality is enabled, every generated alert that includes the srcip or dstip field will look for the srcgeoip or dstgeoip information in the GeoIP.dat database.
- Then, you could create a rule like the following, which will ignore the 81614 rule when the srcip is from the USA:
<rule id="100014" level="0">
<if_sid>81614</if_sid>
<srcgeoip>United States</srcgeoip>
<description>ignore eeuu srcip.</description>
</rule>
Please confirm that you do all these steps, that GeoIP is enabled, and also set up the GeoIP database.
Refs:
- Makefile options, Available flags [link](https://documentation.wazuh.com/current/development/makefile.html?highlight=use_geoip#available-flags)
- Alerts, use_geoip [link](https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/alerts.html?highlight=use_geoip#use-geoip)
- Rule Syntax, srcgeoip and dstgeoip [link](https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html?highlight=dstgeoip#dstgeoip)
This feature is not enabled by default and not recommended due to its complex approach, meaning users should enable, compile, and package it.
To enable this feature, you must build wazuh with the flag `USE_GEOIP=yes`. It also requires a GeoIP database: We support the legacy Maxmind GeoLite format, and the updated and maintained databases use the new GeoLite2 format. It should be converted to the legacy format using an external tool.
Steps to include GeoLite2 database to the Wazuh version:
- Install libgeoip-dev library. i.e. ubuntu:
```bash
apt install libgeoip-dev
```
- Install manager from the source ([doc here](https://documentation.wazuh.com/current/deployment-options/wazuh-from-sources/wazuh-server/index.html)) but compile it with the USE_GEOIP flag, that is:
make TARGET=server USE_GEOIP=yes
- Download the GeoLite2 free databases, it's necessary to create an account. Choose the City version in CSV format, zipped. [link](https://dev.maxmind.com/geoip/geolite2-free-geolocation-data) .
- Download [geolite2legacy.py](https://github.com/sherpya/geolite2legacy) to convert from .CSV to .DAT file (supported by Wazuh).
- Convert the GeoLite2-City-CSV to a DB file. Command:
./geolite2legacy.py -i GeoLite2-City-CSV_20220603.zip -f geoname2fips.csv -o GeoIP.dat
- Copy the converted GeoIP.dat DB inside the Wazuh directory. Command:
cp GeoIP.dat /var/ossec/etc
The following steps are configuration settings.
- Enable USE_GEOIP in ossec.conf file:
<global>
<geoipdb>/var/ossec/etc/GeoIP.dat</geoipdb>
</global>
<alerts>
<use_geoip>yes</use_geoip>
</alerts>
analysisd.geoip_jsonout=1
maild.geoip=1
- Restart the Wazuh server and it should run without any ERROR message. At this point the functionality is enabled, every generated alert that includes the srcip or dstip field will look for the srcgeoip or dstgeoip information in the GeoIP.dat database.
- Then, you could create a rule like the following, which will ignore the 81614 rule when the srcip is from the USA:
<rule id="100014" level="0">
<if_sid>81614</if_sid>
<srcgeoip>United States</srcgeoip>
<description>ignore eeuu srcip.</description>
</rule>
Please confirm that you do all these steps, that GeoIP is enabled, and also set up the GeoIP database.
Reply all
Reply to author
Forward
0 new messages