Generate Alert of unknown source IP
209 views
Skip to first unread message
zaffar abbas
Jun 23, 2023, 7:46:43 AM6/23/23
to Wazuh mailing list
Is it possible to configure WAZUH in such a way that it generate alert everytime an activity is performed with unknown IP address.
Suppose we have 3 VPN Regions (3 IP Addresses) Is it possible to whitelist these "IP Addresses and our internal network addresses" and whenever an activity is done with source IP apart from out whitelisted one, WAZUH generates an alert mentioning possible incident.
Aman Choudhary
Jun 23, 2023, 12:02:15 PM6/23/23
to Wazuh mailing list
Hi Zaffar,
I hope you are having a great day.
If I am able to understand your query, you have to have a common database with whitelist ips and when the the ips from any other source hits your server you want to generate a customer alert over it.
You can use Using CDB lists - Ruleset · Wazuh documentation for this.
I hope this helps your query, do reply if it doesn't.
Something like this,
<list field="srcip" lookup="not_address_match_key">etc/lists/list-IP</list>example:<rule id="110700" level="10">
<if_group>json</if_group>
<list field="srcip" lookup="not_address_match_key">etc/lists/List-IP</list>
<description>IP is out of in the LIST </description>
<group>list1,</group>
</rule>
I hope this helps your query, do reply if it doesn't.
Regards,
Aman Choudhary
Nicolas Agustin Guevara Pihen
Jun 23, 2023, 4:22:09 PM6/23/23
to Wazuh mailing list
Hello Zaffar, thank you for using Wazuh!
As Aman pointed out, you can use CDB lists for this purpose. To do that, you have to create a list with the IPs in the following format:
xx:xx:xx:xx:
xx:xx:xx:xx:
xx:xx:xx:xx:
...
Then you have to apply the list file to your ossec.conf
<ossec_config>
<ruleset>
<list>etc/lists/list-IP</list>
And restart the manager.
After that, you can create rules with a negative lookup to the list to trigger if the IP is not there. You can create a child rule of the original, that will be triggered only if the IP is not in the list.
For example, if you want to use it with the rule 5710, the original rule is this:
<rule id="5710" level="5">
<if_sid>5700</if_sid>
<match>illegal user|invalid user</match>
<description>sshd: Attempt to login using a non-existent user</description>
<mitre>
<id>T1110.001</id>
<id>T1021.004</id>
<id>T1078</id>
</mitre>
<group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
And you can create this rule:
<rule id="100001" level="7">
<description> UNKNOWN IP - sshd: Attempt to login using a non-existent user</description>
<mitre>
<id>T1110.001</id>
<id>T1021.004</id>
<id>T1078</id>
</rule>
This way, you will see the 5710 rule if the IP is recognized, and the higher level 100001 rule if it is not.
I hope you find this information helpful, let me know if you have any questions.
Kind regards,
As Aman pointed out, you can use CDB lists for this purpose. To do that, you have to create a list with the IPs in the following format:
xx:xx:xx:xx:
xx:xx:xx:xx:
xx:xx:xx:xx:
...
Then you have to apply the list file to your ossec.conf
<ossec_config>
<ruleset>
<list>etc/lists/list-IP</list>
And restart the manager.
After that, you can create rules with a negative lookup to the list to trigger if the IP is not there. You can create a child rule of the original, that will be triggered only if the IP is not in the list.
For example, if you want to use it with the rule 5710, the original rule is this:
<rule id="5710" level="5">
<if_sid>5700</if_sid>
<match>illegal user|invalid user</match>
<description>sshd: Attempt to login using a non-existent user</description>
<mitre>
<id>T1110.001</id>
<id>T1021.004</id>
<id>T1078</id>
</mitre>
<group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
And you can create this rule:
<rule id="100001" level="7">
<if_sid>5710</if_sid>
<list field="srcip" lookup="not_address_match_key">etc/lists/list-IP</list>
<mitre>
<id>T1110.001</id>
<id>T1021.004</id>
<id>T1078</id>
</mitre>
<group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group></rule>
This way, you will see the 5710 rule if the IP is recognized, and the higher level 100001 rule if it is not.
I hope you find this information helpful, let me know if you have any questions.
Kind regards,
zaffar abbas
Jun 24, 2023, 1:23:42 AM6/24/23
to Wazuh mailing list
Thank you so much for your prompt support Team!. Really appreciated!
zaffar abbas
Jun 24, 2023, 8:17:23 AM6/24/23
to Wazuh mailing list
In continuation to this, generally there are alot of IP Addresses in an environment so it would be difficult to whitelist all IP addresses. Is there any other whitelisting we can do for same objective? Like Region whitelisting?
Nicolas Agustin Guevara Pihen
Jul 6, 2023, 7:56:34 AM7/6/23
to Wazuh mailing list
Hello Zaffar, apologies for the late response.
In this case, as specified in the previous documentation you can use the CDB list to match entire subnets, not only individual IPs. For example, you can add the key 172.16.19.: that will match the IPs in the range 172.16.19.0 - 172.16.19.255.
There are other options, like blocking known bad actors with AbuseIPDB, You can see the next blog for an example of that
https://wazuh.com/blog/detecting-known-bad-actors-with-wazuh-and-abuseipdb/
Have a good day!
Regards,
In this case, as specified in the previous documentation you can use the CDB list to match entire subnets, not only individual IPs. For example, you can add the key 172.16.19.: that will match the IPs in the range 172.16.19.0 - 172.16.19.255.
There are other options, like blocking known bad actors with AbuseIPDB, You can see the next blog for an example of that
https://wazuh.com/blog/detecting-known-bad-actors-with-wazuh-and-abuseipdb/
Have a good day!
Regards,
Reply all
Reply to author
Forward
0 new messages