maxmind
139 views
Skip to first unread message
Nicolas Martin
Apr 6, 2023, 7:59:16 PM4/6/23
to Wazuh mailing list
Does anyone know how to install and use maxmind in wazuh?
Sebastian Falcone
Apr 10, 2023, 6:40:45 AM4/10/23
to Wazuh mailing list
Hello Nicolas, how are you doing?
Let me investigate this issue and come back with a solution
Sebastian Falcone
Apr 10, 2023, 11:30:11 AM4/10/23
to Wazuh mailing list
Compilation:
1. Clean up external dependencies: cd $WAZUH_REPO && make --directory=src clean
2. Install dependency in Ubuntu: apt install libgeoip-dev
3. Compile with USE_GEOIP flag: make --directory=src -j16 USE_GEOIP=yes TARGET=server DEBUG=yes
4. Run ./install.sh :joy:
Database:
1. Download the GeoIP database from MaxMind. The only one that works is GeoLite2 City: CSV Format.
Wazuh only supports the old format (Legacy), so it must be converted. To do this, clone this repo: git clone https://github.com/sherpya/geolite2legacy
2. Install the dependency: pip3 install ipaddr
3. Use the tool to convert the database: ./geolite2legacy.py -i ../GeoLite2-City-CSV_20201006.zip -f geoname2fips.csv -o GeoIP.dat
4. Copy the converted db: cp GeoIP.dat /var/ossec/etc
5. Add the following line to the global section of ossec.conf: <geoipdb>/var/ossec/etc/GeoIP.dat</geoipdb> (the db loads before it's jailed)
Then test with this log:
May 1 16:17:43 owl sshd[9024]: Accepted publickey for root from 200.16.16.1 port 37384 ssh2
It should output something like:
**Phase 2: Completed decoding.
decoder: 'sshd'
dstuser: 'root'
srcip: '200.16.16.1'
srcgeoip: 'AR / Cordoba' <<<<<< Here is the GEOIP
1. Clean up external dependencies: cd $WAZUH_REPO && make --directory=src clean
2. Install dependency in Ubuntu: apt install libgeoip-dev
3. Compile with USE_GEOIP flag: make --directory=src -j16 USE_GEOIP=yes TARGET=server DEBUG=yes
4. Run ./install.sh :joy:
Database:
1. Download the GeoIP database from MaxMind. The only one that works is GeoLite2 City: CSV Format.
Wazuh only supports the old format (Legacy), so it must be converted. To do this, clone this repo: git clone https://github.com/sherpya/geolite2legacy
2. Install the dependency: pip3 install ipaddr
3. Use the tool to convert the database: ./geolite2legacy.py -i ../GeoLite2-City-CSV_20201006.zip -f geoname2fips.csv -o GeoIP.dat
4. Copy the converted db: cp GeoIP.dat /var/ossec/etc
5. Add the following line to the global section of ossec.conf: <geoipdb>/var/ossec/etc/GeoIP.dat</geoipdb> (the db loads before it's jailed)
Then test with this log:
May 1 16:17:43 owl sshd[9024]: Accepted publickey for root from 200.16.16.1 port 37384 ssh2
It should output something like:
**Phase 2: Completed decoding.
decoder: 'sshd'
dstuser: 'root'
srcip: '200.16.16.1'
srcgeoip: 'AR / Cordoba' <<<<<< Here is the GEOIP
Reply all
Reply to author
Forward
0 new messages