IP Bloking
125 views
Skip to first unread message
Satwika sree
Sep 25, 2023, 8:18:31 AM9/25/23
to Wazuh | Mailing List
Hi Team,
I'm currently working with the CDB list. I've created a list of blocked IP addresses in the CDB list path and created rules for it, which are working fine. However, currently, it's only set up for detection, but I want to automatically block those IP addresses when they are detected.
I'm currently working with the CDB list. I've created a list of blocked IP addresses in the CDB list path and created rules for it, which are working fine. However, currently, it's only set up for detection, but I want to automatically block those IP addresses when they are detected.
Could you please provide guidance on how to achieve this?
Thanks & Regards,
Satwika.
Nicolas Alejandro Bertoldo
Sep 25, 2023, 8:35:17 AM9/25/23
to Wazuh | Mailing List
Hi Satwika,
I hope you are doing well.
You can do this using Active response. In the following link you will find a guide on how to block malicious IP addresses:
Blocking a known malicious actor
Please, let me know if you have any further question.
Regards
I hope you are doing well.
You can do this using Active response. In the following link you will find a guide on how to block malicious IP addresses:
Blocking a known malicious actor
Please, let me know if you have any further question.
Regards
Satwika sree
Sep 26, 2023, 4:44:23 AM9/26/23
to Wazuh | Mailing List
Hi,
Thank you for the information.
I've reviewed the blog at https://documentation.wazuh.com/current/proof-of-concept-guide/block-malicious-actor-ip-reputation.html, and I noticed that the information about Alienvault's Blacklist IP data is outdated.
I've reviewed the blog at https://documentation.wazuh.com/current/proof-of-concept-guide/block-malicious-actor-ip-reputation.html, and I noticed that the information about Alienvault's Blacklist IP data is outdated.
It's not up to date.
I would like assistance in obtaining a real-time threat intelligence feed. Can you provide guidance?
Nicolas Alejandro Bertoldo
Sep 26, 2023, 12:11:49 PM9/26/23
to Wazuh | Mailing List
Hi Satwika,
First, take a look at this documentation that provides a comprehensive overview of different Wazuh capabilities that can be implemented in the process of threat hunting. Here you'll find guidance on:
First, take a look at this documentation that provides a comprehensive overview of different Wazuh capabilities that can be implemented in the process of threat hunting. Here you'll find guidance on:
- How to collect and centralize logs using the log data collection and Wazuh archives
- Customize and create your own rules and decoders, tailored to your specific environment and threat landscape.
- Utilize the Wazuh MITRE ATT&CK module to map and understand cyber attack tactics, techniques, and procedures (TTPs) that occur in your environment.
In a second time concerning your request for Threat Intelligence, Wazuh offers integrations with various CTI platforms such as MISP, URLHaus, VirusTotal, AlienVault and more. You can find in our documentation and blogs various write-ups that will help you integrate these according to your own requirements. A few example are:
Regards- Wazuh and MISP integration
- Detecting and removing malware using VirusTotal integration
- Detecting malicious URLs using Wazuh and URLhaus
- Wazuh SIEM — OpenCTI Threat Intel Integration
- Find more in our PoC guide
I hope you find this helpful!
Reply all
Reply to author
Forward
0 new messages