Blocking a malicious actor

In this POC, you are able to identify the monitored Windows endpoint IP address as a bad reputation one. To do this, you need to log into the Windows endpoint as the attacker and try connecting to the victim’s Apache server running on a CentOS 8 system.

Prerequisites

  • You need an Apache server running on the monitored CentOS 8 system.

  • Configure the Wazuh CentOS 8 host to monitor the Apache access logs in the /var/ossec/etc/ossec.conf configuration file.

    <localfile>
    <log_format>apache</log_format>
    <location>/var/log/httpd/access_log</location>
    </localfile>
    

Configuration

Configure your environment as follows to test the POC.

  1. Download the Alienvault IP reputation database to your Wazuh manager.

    # wget https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/alienvault_reputation.ipset -O /var/ossec/etc/lists/alienvault_reputation.ipset
    
  2. Run the following command at the Wazuh manager (the attacker), replacing <your_windows_ip_address> with the monitored Windows endpoint’s IP address.

    # echo "<your_windows_ip_address>" >> /var/ossec/etc/lists/alienvault_reputation.ipset
    
  3. Download the script to convert from the ipset format to the cdb list format.

    # wget https://wazuh.com/resources/iplist-to-cdblist.py -O /tmp/iplist-to-cdblist.py
    
  4. Convert the alienvault_reputation.ipset file to a .cdb format using the previously downloaded script.

    # python /tmp/iplist-to-cdblist.py /var/ossec/etc/lists/alienvault_reputation.ipset /var/ossec/etc/lists/blacklist-alienvault
    
  5. Optionally, remove the alienvault_reputation.ipset file and the iplist-to-cdblist.py script, as they are no longer needed.

    # rm -rf /var/ossec/etc/lists/alienvault_reputation.ipset
    # rm -rf /var/ossec/etc/lists/iplist-to-cdblist.py
    
  6. Assign the right permissions and ownership to the generated file.

    # chown ossec:ossec /var/ossec/etc/lists/blacklist-alienvault
    # chmod 660 /var/ossec/etc/lists/blacklist-alienvault
    
  7. Add a custom rule to trigger the active response. This can be done in the /var/ossec/etc/rules/local_rules.xml file at the Wazuh manager.

    <group name="attack,">
    <rule id="100100" level="10">
        <if_group>web|attack|attacks</if_group>
        <list field="srcip" lookup="address_match_key">etc/lists/blacklist-alienvault</list>
        <description>IP address found in AlienVault reputation database.</description>
    </rule>
    </group>
    
  8. Add the appropriate active response settings to the ruleset section of the /var/ossec/etc/ossec.conf file at the Wazuh manager.

    <ossec_config>
        <ruleset>
            <!-- Default ruleset -->
            <decoder_dir>ruleset/decoders</decoder_dir>
            <rule_dir>ruleset/rules</rule_dir>
            <rule_exclude>0215-policy_rules.xml</rule_exclude>
            <list>etc/lists/audit-keys</list>
            <list>etc/lists/blacklist-alienvault</list>
            <!-- User-defined ruleset -->
            <decoder_dir>etc/decoders</decoder_dir>
            <rule_dir>etc/rules</rule_dir>
        </ruleset>
    
        <command>
            <name>firewall-drop</name>
            <executable>firewall-drop</executable>
            <timeout_allowed>yes</timeout_allowed>
        </command>
    
        <active-response>
            <command>firewall-drop</command>
            <location>local</location>
            <rules_id>100100</rules_id>
            <timeout>60</timeout>
        </active-response>
    </ossec_config>
    
  9. Restart the Wazuh Manager.

    # systemctl restart wazuh-manager
    

Steps to generate the alerts

  1. Log into the attacker’s system (the monitored Windows endpoint).

  2. Connect to the victim’s system (the Apache server in the monitored CentOS 8 endpoint) from a web browser.

    The custom firewall rule will temporarily block any connection from the attacker system for 60 seconds.

Query the alerts

You can visualize the alert data in the Wazuh Kibana plugin. To do this, go to the Security events module and add the filters in the search bar to query the alerts.

  • rule.id:(651 OR 100100)

Troubleshooting

  • Python command not working during step 4.

This can be solved by creating a symbolic link.

# ln -s /usr/bin/python3 /usr/bin/python