Possibility of GEO Location based rule on Wazuh

542 views
Skip to first unread message

Ranjith Kesavan

unread,
Jun 7, 2020, 2:14:16 AM6/7/20
to Wazuh mailing list
Team, 

We are running Wazuh verion 12.3 in our production environment. We have a requirement where Wazuh should create an alert when the Traffic is generated from some blacklisted Locations.  I do understand that GEO-IP enrichment is performed on Logstash/Ingest pipeline which is way after Wazuh has processed the rule. Is there any option to enrich the logs with Geo data at decoder/Rule level so that we can create rules based on Geo-Location. I would appreciate if anyone can suggest any other options within Wazuh. 


Thank you,
Ranjith Kesavan

Daniel Melgarejo

unread,
Jun 8, 2020, 3:49:00 AM6/8/20
to Wazuh mailing list
Hello Ranjith Kesavan

There are a series of steps to activate the Geo data:

1a) Install GeoIP library:
DEB
sudo apt-get install libgeoip-dev
 
RPM
sudo yum install GeoIP-devel
1b) Download wazuh repository. Then, execute the following commands:

cd wazuh/src
# make clean && make clean-deps
# make deps
# make TARGET=server USE_GEOIP=yes
# ../install.sh

2) Here you can download the GeoLite2 free databases. I tried the City version in CSV format, zipped. There are others that you can try.

3) I can confirm that geolite2legacy repository works on converting from current to a legacy (supported by Wazuh) database file. You should copy the GeoLite2-City-CSV file to the geolite2legacy source directory and then convert the DB with the command above:
./geolite2legacy.py -i GeoLite2-City-CSV_20191008.zip -f geoname2fips.csv -o GeoIP.dat

Then copy the converted GeoIP DB inside the Wazuh directory:
cp GeoIP.dat /var/ossec/etc/

4) Add the following lines to /var/ossec/etc/local_internals_options.conf (Wazuh manager):
analysisd.geoip_jsonout=1
maild.geoip=1

5) Add the following lines to /var/ossec/etc/ossec.conf (Wazuh manager):

<global>
    ...
    ...
    <geoipdb>/var/ossec/etc/GeoIP.dat</geoipdb>
</global>

<alerts>
    ...
    ...
    <use_geoip>yes</use_geoip>
</alerts>
6) Restart:

 /var/ossec/bin/ossec-control restart

Using this configuration, we will see geodata in the alerts. I think the geolocation is calculated from the srcip or dstip fields (fields extracted by the decoder).

**Phase 2: Completed decoding.
       decoder: 'sshd'
       dstuser: 'root'
       srcip: '2.136.147.146'
       srcgeoip: 'ES / Catalonia'  <----------- Wazuh GeoIP DB field
       srcport: '1055'

**Phase 3: Completed filtering (rules).
       Rule id: '100011'
       Level: '15'
       Description: 'Log attempt from ES / Catalonia'
**Alert to be generated.

There is a static filter related to geoip that can be used in a rule: different_srcgeoip. However, more static filters related to geoip will be added from Wazuh 3.13 on: same_srcgeoip, same_dstgeoip and different_dstgeoip.


I hope you find this information useful.

Regards,
              Daniel

Ranjith Kesavan

unread,
Jun 10, 2020, 3:25:10 AM6/10/20
to Wazuh mailing list
Hi Daniel, 

Thanks for the response. I will try this and update you the results. I should say that Wazuh has the best community support among all products I have worked on. You guys are awesome. 


Thank you,
Ranjith.

Daniel Melgarejo

unread,
Jun 15, 2020, 2:38:37 AM6/15/20
to Wazuh mailing list
Hi Ranjith,

Thanks for your comment and thanks for using Wazuh. The real protagonists are you all! We will continue to strive to support the community and to become more and more numerous.

Regards,
Daniel
Reply all
Reply to author
Forward
0 new messages