Block Malicious IPs with virus total

[Satwika sree]

Hi Team,

Is this possible to block the malicious IP's automatically in wazuh agent using Virustotal API.

If it's possible, can you please give guidance for that.

Regards,

Satwika

[Md. Nazmur Sakib]

Hi Satwika,

The default Virustotal script that is present in Wazuh it works only with alerts from syscheck group and has the md5_after field in it.

Check  the document for reference:

https://github.com/wazuh/wazuh/blob/master/integrations/virustotal.py#L204C9-L204C17

------------------------

 # If there is no syscheck block present in the alert. Exit.

    if 'syscheck' not in alert:

        debug('# No syscheck block present in the alert')

        return None

    # If there is no md5 checksum present in the alert. Exit.

    if 'md5_after' not in alert['syscheck']:

        debug('# No md5 checksum present in the alert')

        return None

    # If the md5_after field is not a md5 hash checksum. Exit

------------------------------

Check the document for reference:

https://documentation.wazuh.com/current/proof-of-concept-guide/detect-remove-malware-virustotal.html

Additionally, you can write a custom script based on this

https://github.com/wazuh/wazuh/blob/master/integrations/virustotal.py

https://documentation.wazuh.com/current/user-manual/manager/manual-integration.html

https://wazuh.com/blog/how-to-integrate-external-software-using-integrator//

Use this for VT to detect malicious IP and Use the active response of Wazuh to block the IP.

Ref: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html

Addionlay you can chcek some similar use cases:

https://wazuh.com/blog/detecting-known-bad-actors-with-wazuh-and-abuseipdb/

https://wazuh.com/blog/using-osint-to-create-cdb-lists/

Let me know if you need any further information on this.