Wazuh – 黑名单匹配告警(CDB list)

需求:

​ 现有一批高危用户, 需要实时关注该账号的登录情况。由于之前已经写好了一个针对用户登录账号的审计规则, 因此, 这里需要用到Wazuh CDB list这个功能(此功能主要用例是创建用户,IP或域名的白/黑列表。)消费审计规则数据即可。


  1. 新建列表
1
2
3
4
5
$ more blacklist

admin:
root:
administrator:
  1. 将列表文件添加到ossec.conf
1
2
3
4
5
6
7
8
$ more ossec.conf

<ossec_config>
<ruleset>
<!-- User-defined CDB list -->
<list>etc/lists/blacklist</list>
</ruleset>
</ossec_config>
  1. 编译列表
1
2
3
$ /var/ossec/bin/ossec-makelists

* File etc/lists/blacklist.cdb needs to be updated
  1. 重启进程
1
$ sudo systemctl restart wazuh-manager
  1. 配置规则
1
2
3
4
5
6
7
8
9
10
11
12
13
14
<group name="local,blacklist,">


<!-- ID: 100150 - 100199 -->

<rule id="100163" level="12">
<if_sid>100303</if_sid>
<list field="http.email" lookup="match_key">etc/lists/blacklist</list>
<description>Wazuh Rules - High-risk user login detected. $(src_ip) -> $(http.email) -> $(http.hostname) -> $(http.url) = $(http.results).</description>
<options>no_full_log</options>
<group>blacklist,</group>
</rule>

</group>
  1. 测试规则
1
2
3
4
5
6
7
8
9
$ ./ossec-logtest
2019/10/18 15:06:47 ossec-testrule: INFO: Started (pid: 2184).
ossec-testrule: Type one log per line.

**Phase 3: Completed filtering (rules).
Rule id: '100163'
Level: '12'
Description: 'Wazuh Rules - High-risk user login detected. 1.1.1.1 -> admin -> canon88.github.io -> /user/login = success.'
**Alert to be generated.