active response if IP address in AWS VPC Flow Log in IP blacklist?
30 views
Skip to first unread message
Neil M
Apr 10, 2024, 9:22:30 AM4/10/24
to Wazuh | Mailing List
I have successfully setup AWS VPC Flow Logs with Wazuh (messages show up in alerts.log)
I would like to perform an active response (firewall block) if aws.srcaddr exists in an IP blocklist (such as alienvault), however I'm not sure how to accomplish this
How do I configure a rule to do this? This is what i have:
<group name="attack,">
<rule id="100100" level="10">
<list field="aws.srcaddr" lookup="address_match_key">etc/lists/blacklist-alienvault</list>
<description>IP address found in AlientVault reputation database</description>
</rule>
</group>
<rule id="100100" level="10">
<list field="aws.srcaddr" lookup="address_match_key">etc/lists/blacklist-alienvault</list>
<description>IP address found in AlientVault reputation database</description>
</rule>
</group>
thanks
Neil
Federico Ramos
Apr 11, 2024, 10:04:56 AM4/11/24
to Wazuh | Mailing List
Hi Neil
Try using "data.aws.scraddr" in the list tag. Also, if you want to test your rules, you can use https://documentation.wazuh.com/current/user-manual/ruleset/testing.html.
Try using "data.aws.scraddr" in the list tag. Also, if you want to test your rules, you can use https://documentation.wazuh.com/current/user-manual/ruleset/testing.html.
Reply all
Reply to author
Forward
0 new messages