GeoLocation data in Integration component
1,090 views
Skip to first unread message
Ramiro Fróes Ferrão
Nov 2, 2022, 11:19:50 AM11/2/22
to Wazuh mailing list
Greetings,
I'd like to know if this is possible with the latest build of Wazuh or if there's any special configuration needed.
ossec.conf (Integrator configuration only)
<integration>
<name>custom-integration</name>
<level>4</level>
<rule_id>81606</rule_id>
<alert_format>json</alert_format>
</integration>
<name>custom-integration</name>
<level>4</level>
<rule_id>81606</rule_id>
<alert_format>json</alert_format>
</integration>
Ramiro Fróes Ferrão
Nov 2, 2022, 11:26:20 AM11/2/22
to Wazuh mailing list
Also I've added this in local_internal_options.conf
analysisd.geoip_jsonout=1
Despite this — and even checking it directly into internal_options.conf —, there were no changes (GeoLocation data that is) shown in /var/ossec/logs/alerts/alerts.json
Facundo Dalmau
Nov 2, 2022, 2:15:36 PM11/2/22
to Wazuh mailing list
Hi Ramiro,
Thanks for using Wazuh!
What is the use case you are trying to achieve with the Integration you are declaring?
Regards,
Facundo Dalmau
Ramiro Fróes Ferrão
Nov 2, 2022, 3:10:37 PM11/2/22
to Wazuh mailing list
I'm trying to forward events from the aforementioned rule_id towards an external monitoring system using the Integrator component, although it's just an initial experiment for now. It would be useful for the JSON data handled by the custom-integration script to already have GeoLocation/GeoIP related information available considering it's already present in wazuh-alerts-4.x-xxxx.xx.xx index's _source.
Shouldn't the analysisd.geoip_jsonout option provide this for Integrator as well? Not sure what I should do next.
Facundo Dalmau
Nov 3, 2022, 8:23:46 AM11/3/22
to Wazuh mailing list
Hi Ramiro,
Thanks for your reply!
Currently, the geolocation data is added to the alert on Wazuh indexer level, after being processed by all decoders and rules, limiting the ability to create rules and decode with geolocation conditions. That is the main reason, as you mentioned, the geolocation data is not shown in /var/ossec/logs/alerts/alerts.json.
For the use case you mention, I suggest two options:
- Make your custom integration to look for the geolocation data
- Create rules that can use geolocation, building Wazuh with the flag USE_GEOIP=yes. Since you have already set up the option analysisd.geoip_jsonout, did you build Wazuh from sources including Geolite2 databases?
For the use case you mention, I suggest two options:
- Make your custom integration to look for the geolocation data
- Create rules that can use geolocation, building Wazuh with the flag USE_GEOIP=yes. Since you have already set up the option analysisd.geoip_jsonout, did you build Wazuh from sources including Geolite2 databases?
Regards,
Ramiro Fróes Ferrão
Nov 3, 2022, 8:51:02 AM11/3/22
to Wazuh mailing list
Hi Facundo Dalmau,
Thank you for the feedback! I've already considered the first option, but I'd prefer if I didn't need to use other services for getting this data, if possible; as for the second one, no, I used the wazuh-install.sh script with the --all-in-one flag. Can you elaborate on this?
- How do I recompile Wazuh and Geolite databases for rules to be compatible with GeoLocation?
- What do I need to change in the rules for geo data to be available in alerts.json and custom Integrator scripts?
Best regards,
Facundo Dalmau
Nov 3, 2022, 2:47:59 PM11/3/22
to Wazuh mailing list
Hi Ramiro,
Sure. You will have to reinstall Wazuh from sources doing the following to include GeoLite2 database:
- Install libgeoip-dev library. command: apt install libgeoip-dev
- Build Wazuh version with USE_GEOIP flag. command: make TARGET=server USE_GEOIP=yes
- Install Wazuh server version, command: ./install.sh
- Download the GeoLite2 free databases, it's necessary create an account. choose the City version in CSV format, zipped. link .
- Download geolite2legacy.py to convert from .CSV to .DAT file (supported by Wazuh).
- Convert the GeoLite2-City-CSV to DB file. command: ./geolite2legacy.py -i GeoLite2-City-CSV_20220603.zip -f geoname2fips.csv -o GeoIP.dat
- Copy the converted GeoIP.dat DB inside the Wazuh directory. command: cp GeoIP.dat /var/ossec/etc
Following steps are configuration settings:
- Enable USE_GEOIP in ossec.conf file:
<global>
<geoipdb>/var/ossec/etc/GeoIP.dat</geoipdb>
</global>
<alerts>
<use_geoip>yes</use_geoip>
</alerts>
- Enable USE_GEOIP in internal_options.conf file:
analysisd.geoip_jsonout=1
maild.geoip=1
Restart Wazuh server and it should run without any ERROR message. At this point every generated alert that include srcip or dstip field will look for the srcgeoip or dstgeoip information in GeoIP.dat database.
Let me know how it goes!
Regards
Ramiro Fróes Ferrão
Nov 4, 2022, 1:19:16 PM11/4/22
to Wazuh mailing list
Hi Facundo,
Thanks, it works. Just had to make some adjustments for CentOS (described below so it may help anybody else trying to do this):
- Installed GeoIP-devel, no libgeoip-dev package is available for CentOS
- OK
- During install.sh USE_GEOIP was turned off again, so I just opted to hardcode it into install.sh (line 1128: ${MAKEBIN} TARGET=${INSTYPE} USE_GEOIP=yes... )
- OK
- OK
- OK
- OK
Everything else is good.
Best regards,
Facundo Dalmau
Nov 7, 2022, 6:41:03 AM11/7/22
to Wazuh mailing list
Hi Ramiro,
Great to read that it worked properly.
Thanks for sharing the adjustments!
Regards
Reply all
Reply to author
Forward
0 new messages