Unable to perform domain blacklisting using cdb list

[Nidhi Soni]

Hi,

I am using wazuh version 4.3.7
I want to detect malicious domains using cdb list of wazuh

 I have a list named malicious-domain in manager at /var/ossec/etc/lists . I have added entries like :

www.example.com:

 In ossec.conf of manager I have added the below:
<list>etc/lists/malicious-domain</list>

I have added below rule in /var/ossec/etc/rules/local_rules.xml
<rule id="100012" level="10">
<if_group>audit|attack|attacks|web</if_group>
<list field="url" lookup="match_key_value">etc/lists/malicious-domain</list>
<description>DOMAIN blacklist</description>
</rule>

 After restarting manager, malicious-domain.cdb file is seen and there are no errors in ossec.log

 

I have ubuntu 20.04 endpoint registered as a wazuh agent. I am trying to access the domain using my Firefox browser, but not getting the alerts

[Emmanuel Sadiq]

Hello Nidhi Soni,
Thank you for using Wazuh.You can add entries to a CDB list in key:value pairs or key: only. In your scenario, you have chosen the latter as shown in your malicious-domain file:

www.example.com:

To get a positive key match, use the lookup="match_key" attribute which searches for the key stored in the field attribute and will match if it is present in the database.
However, you are using the lookup="match_key_value" attribute which searches for the key stored in the field attribute, and on a positive match the returned value of the key will be processed using the regex in the check_value attribute:A working and updated version of your rule definition is provided below:

<rule id="100012" level="10"> <if_group>audit|attack|attacks|web</if_group> <list field="url" lookup="match_key">etc/lists/malicious-domain</list> <description>DOMAIN blacklist</description> </rule>

Follow the Using CDB lists documentation to get detailed information on this subject.Let me know if you find this information helpful.

[Emmanuel Sadiq]

For the rule, Kindly see the description below;

<rule id="100012" level="10"> 

       <if_group>audit|attack|attacks|web</if_group> 

       <list field="url" lookup="match_key">etc/lists/malicious-domain</list> 

       <description>DOMAIN blacklist</description> 

</rule>

Thank you. 

[Nidhi Soni]

Hi,

I tried the above rule, but still I didn't receive the alerts for the blacklisted domain.

[Emmanuel Sadiq]

Hello,

You can verify your configuration and ensure to restart Wazuh-Manager after applying the configurations. Kindly share the log you receive after accessing the domains on your browser. 

I hope this is helpful. 

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/52954ba2-4ec5-4a78-840d-d7237941fb4en%40googlegroups.com.

--

Emmanuel Sadiq Technical Writer

[Nidhi Soni]

Hi,

I had restarted wazuh manager, there no error logs in both agent and manager. I am not getting logs after accessing the domains on the browser. I have checked ossec.log, archives.log and alerts.log on manager. Also checked the ossec.log on agent.

[Emmanuel Sadiq]

Hello Nidhi Soni,

Wazuh analyzes logs to generate security alerts. If there are no logs, then expect no alert.
Kindly provide us with how you are monitoring the server logs you plan to blacklist its domain?If your server logs are properly monitored, you can enable the Wazuh archives on the Wazuh server to see logs that are coming in.

After enabling the Wazuh archives, kindly access the domain again and you should see the logs from that event. 

Kindly share this log with us.

Waiting for your feedback in this regard.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/37fc80ea-c753-40ff-8cd6-aeb80c754869n%40googlegroups.com.

[Nidhi Soni]

Hi,

I am monitoring below logs:
firewall.log
daemon.log
audit.log
kernel.log
mail.log
authpriv.log
kern.log
dpkg.log
syslog
auth.log
Which logs can I analyze to get the alerts for domain

[Emmanuel Sadiq]

Hello Nidhi,

Thank you for using Wazuh.

You can analyze the firewall.logs to get domain alerts. 

Best regards

 

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ba729af0-9b07-4ae5-89a0-0a69344b1b5cn%40googlegroups.com.

[Diksha Bhargava]

Hi ,

I tried logging the entries in firewall.log using domain name in this iptables command "iptables -A INPUT -p TCP --dport 1614 -s www.google.com -j ACCEPT " but I am not able to get the domain name in the firewall logs.

I am getting logs for ip only .

[Emmanuel Sadiq]

Hello Diksha

If I understand you correctly, you want to block users from accessing some specified sites? 

Regards.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9d24d0b9-cdd4-4c8a-b5cf-b41c476c7813n%40googlegroups.com.

[Diksha Bhargava]

Hi ,Yes but currently I am trying to detect if malicious domain has been accessed in the system through browser.

[Emmanuel Sadiq]

Hello Diksha,

Thank you for using Wazuh. Currently Wazuh doesn’t have WAF capabilities. You can set the blacklisted domains on your firewall and forward the logs to Wazuh. 

I hope this helps. 

You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/UctXaSCAJ68/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/36b6f74e-1de4-4dc9-847e-09fab0db1829n%40googlegroups.com.