Open in app

Sign in

Write

Sign in

Wazuh Integration

Ibrahim Ayadhi
7 min readApr 14, 2020

--

Welcome to our fourth article of this series. I encourage you all to check the previous article to have a better understanding of what we are going to discuss here.

Moving along in our project now that we have completed the SIEM part. It is the time to transform our solution from a simple observer to an active responder. One of the important tools that we have used is Wazuh. In This article we hope to enlighten you about the advantages offered by this tool. As well as how to deploy it and use it.

The article is divided into these sections:

  • Installation of Wazuh server and agent

Installing the Wazuh-Server

Installing the Wazuh-agent

Installing the app and integration with kibana

Configuring and connecting the agents

  • Active response

1- Installation of the wazuh server and the agent

Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance. These are some definition you need to know.

  • Wazuh server: Runs the Wazuh manager, API and Filebeat. It collects and analyzes data from deployed agents.
  • Wazuh agent: Runs on the monitored host, collecting system log and configuration data and detecting intrusions and anomalies. It talks with the Wazuh server to which it forwards collected data for further analysis.

1.1- Introduction to Wazuh server architecture :

The Wazuh architecture is based on agents running on monitored hosts that forward log data to a central server. Also, agentless devices (such as firewalls, switches, routers, access points, etc.) are supported and can actively submit log data via syslog and/or a periodic probe of their configuration changes to later forward the data to the central server. The central server decodes and analyzes the incoming information and passes the results along to an Elasticsearch cluster for indexing and storage.

We will be using the Single-host architecture (HIDS) which his the following :

For more details about the other architecture. Check the official website:

https://documentation.wazuh.com/3.8/getting-started/architecture.html

1.2- Installation of the Wazuh manager and API and Filebeat

Here we will provide you with the official site of wazuh for the installation

https://documentation.wazuh.com/3.12/installation-guide/installing-wazuh-manager/linux/ubuntu/wazuh_server_packages_ubuntu.html#wazuh-server-packages-ubuntu

After installing we have to configure the configuration file of filebeat : you can connect filebeat to elasticsearch output or logstash output. In our case , we will setup the elasticsearch output with no ssl verification ( we can see here that only the alerts module is enabled )

cd /etc/filebeat

nano filebeat.yml

Now will setup the index template and start the 3 services :

filebeat setup — index-management

service filebeat start

service wazuh-manager start

service wazuh-api start

1.3- Installation of the wazuh-agent

Use this link for the installation

https://documentation.wazuh.com/3.12/installation-guide/installing-wazuh-agent/linux/ubuntu12.04-or-greater/wazuh_agent_package_ubuntu12.04_or_greater.html#wazuh-agent-package-ubuntu12-04-or-greater

check if the wazuh-agent is running properly :

1.4- Installation of the wazuh app and integration with Kibana :

This app will be the bridge between the Wazuh server and the Kibana of the elk that we have previously installed.

This app is only provided on a git hub repository and not within the official web site.

We will be installing the wazuh app with is compatible with the ELK Stack 7.6.1. To do so.

cd /usr/share/kibana

sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.12.2_7.6.1.zip

It is recommended to increase the heap size of Kibana to ensure the plugin installation:

cat >> /etc/default/kibana << EOF

NODE_OPTIONS=” — max_old_space_size=2048"

EOF

Restart Kibana :

systemctl restart kibana

You can check the all the available versions in this site:

https://github.com/wazuh/wazuh-kibana-app

Now in your kibana you should see that the symbol of wazuh appeared in the left tab of your kibana. Click on it. The wazuh api will open. Take some time to explore it. You should get something similar to this. You will not have any agents connected to it for now. In the coming part we will discuss how to connect your agents.

1–5 Connecting and configuring the agents

There are many ways to register the agent. In this article we will use the manual way.

In the CLI of the Wazuh manager host, we will run manage_agents to add the agent. In this example, we are going to add a new agent. To do that type

/var/ossec/bin/manage_agents

Select the add agent by typing A and hitting enter.
then we enter the name that we want to give to our machine in this case user1
we type the IP of the endpoint device. Note that if you don’t have a static IP address for the endpoint device you can use the keyword (any) instead of the IP address.
Once done, hit enter

Now we are going to extract the secret key that will enable our agent to connect to the wazuh server.
To do that this time we will select the option E extract key for an agent. Then we type the id of our agent and this case I have chosen the agent with the id 001.

Once you have added the agent in the Wazuh manager host, open a session in your Linux agent host as root user. After that, let’s import the key and connect the agent to the manager.

Type the following

/var/ossec/bin/manage_agents -i “Your_Secret_key”

You should get a result like this type y and hit enter

One more step to go

Edit the Wazuh agent configuration in /var/ossec/etc/ossec.conf to add the Wazuh server IP address. In the <client><server> section, change the MANAGER_IP value to the Wazuh server address. The address of the Wazuh server can be an IP address or a DNS name:

1.6- Checking received Data :

To check if ELK is receiving data from the wazuh server. Go to index Management. You should get something similar to this ( wazuh-alerts and wazuh-monitoring )

2. Wazuh active response :

Wazuh provides an active response module to handle automatic response to specific alerts that you configure on the Wazuh-manager.

An active response is a script that is configured to execute when a specific alert, alert level or rule group has been triggered. Active responses are either stateful or stateless responses. Stateful responses are configured to undo the action after a specified period of time while stateless responses are configured as one-time actions.

For example, if we want to automatically block certain IP based certain logs coming from your endpoint device showing that they are performing Bruteforce attack whether it is RDP or SSH depending on the OS of the host.

We can create an active-response that will block the IP of the attacker when it matches the behavior with the ruleset stored on Wazuh. We will take the example of an SSH-Bruteforce. We will consider 8 failed logins as an attempt of attack. When this event happens the rule “5712 — SSHD brute force trying to get access to the system.” Will be triggered. Thus, the command of blocking the IP is executed.

First, we need to define the command that we’ll use for the response.

OSSEC comes with a set of common scripts used in active response. These scripts are in /var/ossec/active-response/bin/ in the server machine. We are going to use the firewall-drop.sh script that should work with common Linux/Unix operating systems and it allows the blocking of a malicious IP using the local firewall.

Define the command in the ossec.conf of your OSSEC Manager:

nano /var/ossec/etc/ossec.conf

We are going to use the firewall-drop.sh script that should work with common Linux/Unix operating systems and it allows blocking of a malicious IP using the local firewall.

Next and in the same file, we configure OSSEC to run the active response. The main fields are:

-command: The command previously defined (firewall-drop).

-location: Where the command should be executed. We want to execute it on the agent that reported the event. So, we use local.

-rules_id: The command is executed if the rule 5712 is fired.

-timeout: Block the IP for 60 seconds on the firewall (iptables, ipfilter, etc)

Then save the modification and close the file. Restart the wazuh-manager with the command:

Service wazuh-manager restart

Now on your wazuh-agents hosts, don’t forget to modify the file ossec.conf and add:

<active-response>

<disabled>no</disabled>

</active-response>

Now you can try to bruteforce the SSH on your host machine where the Wazuh agent is installed and you’ll be blocked for 60 secondes after 8 failed logins .

For more details on Wazuh active respone , you can check :

https://documentation.wazuh.com/3.7/user-manual/capabilities/active-response/how-it-works.html

--

--

Ibrahim Ayadhi

Written by Ibrahim Ayadhi

294 Followers

Penetration Tester | Red Team | OSEP | OSCP | CRTO | CEH Master | LPIC-1

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams