How do I configure the waxuh agent to block known malicious IP addresses?

[B21DCAT138_NGÔ VĂN NAM]

Hello everyone

I want to ask how to configure wazuh agent machines to block known malicious IPs . I have

configure  the ip address blocking service for the wed server according to the instructions "Blocking a known malicious actor" in the wazuh documentation ,but when i try to simulate an attack on the wazuh agent machines , i still see that it can stil be done . So what should i do to solve.

Hope everybody help please

[Roman Luna]

Hi,

In order to block an IP in a device, the response comes from the server to run an active response. The agent itself does not process the information, only sends it to the server for analysis.

There are a few steps to follow in order to block an IP:

1. The log is received in the manager

2. The manager has a list of IP from which to compare

3. Have a rule which would be used as requisite for the active response

4. Run the active response script

In the following link, you will see the configuration from the manager side: Blocking a known malicious actor - Proof of Concept guide (wazuh.com). A rule is added, a lists of ips in a file which are then mentioned in the configuration and an script response is set to run when the requisites match.

You should have all this steps to simulate an attack. In the link there are tests that you can do, if you wish, you could follow it to see in which part there is an issue or error. If you encounter any, feel free to share in which step you are having trouble with.

Regards.