Help with the abuseIPDB rule.

[ocerna0721]

Hello everyone,

I would like to discuss an issue I'm facing regarding the data retrieval from the abuseIPDB integration. I'm trying to analyze the information from the following log:

/*This log has an SRC that matches a public IP address.*/

Aug 21 13:50:36 TSS kernel: [6031296.121710] [TS-bridge-inbound-17-D] IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 MAC=70:4c:a5:46:cd:61:f8:75:a4:10:dd:9a:08:00 SRC=34.120.195.249 DST=192.168.1.131 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=7632 DF PROTO=TCP SPT=49541 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0

/*This log has an SRC that matches a private/local IP address.*/
Aug 21 13:50:36 TSS kernel: [6031296.121710] [TS-bridge-inbound-17-D] IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 MAC=70:4c:a5:46:cd:61:f8:75:a4:10:dd:9a:08:00 SRC=192.168.1.131 DST=34.120.195.249 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=7632 DF PROTO=TCP SPT=49541 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0

These are the roles I am using:

<group name="firewall,">
  <rule id="4100" level="15" overwrite="yes">
    <category>firewall</category>
    <description>t INTELLIGENCE blocked malicious traffic</description>
  </rule>
</group>

<group name="firewall">

  <rule id="100002" level="5">
    <if_sid>4100</if_sid>
    <match type="pcre2">\b(?!(10)|192\.168|172\.(2[0-9]|1[6-9]|3[0-1])|(25[6-9]|2[6-9][0-9]|[3-9][0-9][0-9]|99[1-9]))[0-9]{1,3}\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)</match>
    <description>Traffic Flow: $(srcip) --> $(dstip)</description>
  </rule>

  <rule id="100004" level="10">
    <field name="abuseipdb.source.rule" type="pcre2">^100002$</field>
    <field name="abuseipdb.abuse_confidence_score" type="pcre2" negate="yes">^0$</field>
    <description>Blocked: Malicious, a public IP address: $(srcip) with $(abuseipdb.abuse_confidence_score)% confidence of abuse.</description>
  </rule>
 
</group>

I have analyzed the rule with id="100002". As I understand it, this rule captures information from rule id="4100" and analyzes the srcip field using a "pcre2" match type. This match type denies certain formats of private IP addresses, such as: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, and 25.0.0.0 to 25.255.255.255. After detecting a public IP, rule id="100004" should take this information and send it to abuseIPDB, which will then provide information back about the score of the collected public IP.

The issue is that so far, the role with id="100004" has not been functioning for me. I am only reaching the role with id="100002". I have attached the test results for the role.

**Messages: WARNING: (7003): 'd036f450' token expires INFO: (7202): Session initialized with token 'b2922e53' **Phase 1: Completed pre-decoding. full event: 'Aug 21 13:50:36 TSS kernel: [6031296.121710] [TS-bridge-inbound-17-D] IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 MAC=70:4c:a5:46:cd:61:f8:75:a4:10:dd:9a:08:00 SRC=34.120.195.249 DST=192.168.1.131 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=7632 DF PROTO=TCP SPT=49541 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0' timestamp: 'Aug 21 13:50:36' hostname: 'TSS' program_name: 'kernel' **Phase 2: Completed decoding. name: 'kernel' parent: 'kernel' action: '[TS-bridge-inbound-17-D]' dstip: '192.168.1.131' dstport: '443' protocol: 'TCP' srcip: '34.120.195.249' srcport: '49541' **Phase 3: Completed filtering (rules). id: '100002' level: '5' description: 'Traffic Flow: 34.120.195.249 --> 192.168.1.131' groups: '["firewall"]' firedtimes: '1' mail: 'false'

**Alert to be generated.

I would like to create a rule similar to rule id="100002" which analyzes the dstip field and does the same thing, searching for public IPs. It would be great if when role 100002 doesn't find a public IP in the srcip field during its analysis, it triggers another role, like id="10003", to check for a public IP in the dstip field.

[Stuti Gupta]

Hope you are doing well today and thank you for using wazuh.

Wazuh helps you to trigger alerts and enhance your Wazuh security monitoring setup by integrating threat intelligence to block incoming connections from known malicious IP addresses. You can achieve this using the Wazuh CDB list . the main feature of this is to create a white/black list of users, file hashes, IP addresses, or domain names.
You can create a list first: The list file is a plain text file. Each line has a unique key followed by a colon: With a key, we can determine the presence or absence of a field in a given list. By adding a value, we can use it as criteria in rules We recommend storing the lists on /var/ossec/etc/lists
key1:value1
key2:value2

Adding the rule in ossec.conf : Each list must be defined in the ossec.conf file using the following syntax:
<ossec_config>  
<ruleset> <list>etc/lists/list-IP</list>
Using the CDB list in the rules:
Positive key match: In case the field is an IP address, you must use address_match_key
<list field="srcip" lookup="address_match_key">etc/lists/list-IP</list>
Negative key match: In case the field is an IP address, you must use not_address_match_key
<list field="srcip" lookup="not_address_match_key">etc/lists/list-IP</list>
key and value match: In case the field is an IP address, you must use address_match_key_value
<list field="srcip" lookup="address_match_key_value" check_value="^reject">etc/lists/list-IP</list>
On a positive match the returned value of the key
<list field="user" lookup="match_key_value" check_value="^block">etc/lists/list-user</list>

CDB list rule example:
<rule id="110700" level="10">  
<if_group>json</if_group>
<list field="srcip" lookup="address_match_key">etc/lists/List-one</list>
<description>IP blacklisted in LIST ONE</description>
<group>list1,</group> </rule>

To know more about this you refer to https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html#cdb-lists-examples
You can also check the Blocking Unknoun malicious actor document: This case uses a public IP reputation database that contains the IP addresses of some malicious actors. An IP reputation database is a collection of IP addresses that have been flagged as malicious.
Please refer to the CDB list and threat intelligence document: Wazuh detects malicious files by checking the presence of their signatures in a CDB list. This CDB list must contain known malware threat intelligence indicators.
To know more about wazuh malware detection capabilities please refer to https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/cdb-lists-threat-intelligence.html#cdb-lists-and-threat-intelligence
For making custom rules and decoders please refer to https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

Hope this will be helpful. Please feel free to contact us for any information/issues.

Regards,

[ocerna0721]

Hello Stuti,

Thank you very much for taking the time to respond to my inquiry,

But I'm sorry to say that my question was not answered.
I need to use the abuseIPDB integration because I would like to obtain information about the IPs that are being blocked by my device and know their threat score along with other data that the abuseIPDB API provides. Of course, in conjunction with this integration, what you have suggested is very interesting, but using them together would result in a more efficient detection process. This is because with the obtained scores, we can avoid false positives.