IP blocking using CDB lists

113 views
Skip to first unread message

athan espinoza

unread,
Sep 23, 2024, 1:10:16 AM9/23/24
to Wazuh | Mailing List

Hello,

I have a problem that doesn't appear clearly in the documentation, or I don't know where to find what I need to do. I'm generating an IP block using CDB lists so that when I add an IP address, it blocks any connection on the agents.

From what I've read, I created the block list


<!-- Bloqueo IP  CDB list-->
<group name="list,blocked,">
  <rule id="100140" level="12">
    <list field="srcip" lookup="address_match_key">etc/lists/bloqueo-ip</list>
    <description>IP en lista negra detectada</description>
    <group>ip_blocked,</group>
  </rule>
  <rule id="100141" level="3">
    <list field="srcip" lookup="address_match_key">etc/lists/bloqueo-ip</list>
  <description>IP en lista negra detectada (Debug)</description>
</rule>
</group>

Captura de pantalla 2024-09-22 182511.png


  I took ossec.conf and added the list information  

  <ruleset>
    <!-- Default ruleset -->
    <decoder_dir>ruleset/decoders</decoder_dir>
    <rule_dir>ruleset/rules</rule_dir>
    <rule_exclude>0215-policy_rules.xml</rule_exclude>
    <list>etc/lists/audit-keys</list>
    <list>etc/lists/amazon/aws-eventnames</list>
    <list>etc/lists/security-eventchannel</list>
    <!-- Regla para detectar hash maliciosos -->
    <list>etc/lists/malware-hashes</list>
    <!-- regla para bloqueo de IP -->
    <list>etc/lists/bloqueo-ip</list>

    <!-- User-defined ruleset -->
    <decoder_dir>etc/decoders</decoder_dir>
    <rule_dir>etc/rules</rule_dir>
  </ruleset>
Captura de pantalla 2024-09-22 182303.png
  <!-- CDB lists -->
<ossec_config>
  <active-response>
    <command>firewall-drop</command>
    <location>local</location>
    <rules_id>100140</rules_id>
    <timeout>600</timeout>
    <repeated_offenders>30,60,120</repeated_offenders>
  </active-response>
</ossec_config>
Captura de pantalla 2024-09-22 182553.png


I test with an SSH connection (just as a quick proof of concept) and nothing happens.

I don't know if I'm doing everything wrong or if I need to add some script within the agent or in Endpoint Groups

Is there anything specific about the translation you'd like me to explain or clarify? Or would you like help troubleshooting the IP blocking issue you've described?

 regards!!!


Henadence Anyam

unread,
Sep 23, 2024, 5:57:17 AM9/23/24
to Wazuh | Mailing List
Hello Athan,

The issue is related to your custom rule 100140. The rule doesn't inherit from any parent rule so the Analysis engine can't determine which action triggers the rule.

Since you are testing for unathorized logins, you can write the rule base on rule ID 5710 or other related rules 5551, 5712, 5711, 5716, 5720, 5503, 5504.
This can be done using the if_sid rule option.

So, your rule should look like the following if we use rule ID 5710: <group name="list,blocked,">

  <rule id="100140" level="12">
<if_sid>5710</if_sid>

    <list field="srcip" lookup="address_match_key">etc/lists/bloqueo-ip</list>
    <description>IP en lista negra detectada</description>
    <group>ip_blocked,</group>
  </rule>
</group>

You can also use the if_group rule option in case you want to base the rule of off certain triggered alert groups.

Let me know if you find this information helpful.

Reply all
Reply to author
Forward
0 new messages