Proof of Concept Guide
Proof of Concept Guide
Proof of Concept Guide
In this use case, you use the Wazuh command monitoring capability to detect when
Netcat is running on an Ubuntu endpoint. Netcat is a computer networking utility used
for port scanning and port listening.
Infrastructure
Endpoint Description
Configuration
Ubuntu endpoint
Take the following steps to configure command monitoring and query a list of all
running processes:
<ossec_config>
<localfile>
<log_format>full_command</log_format>
<alias>process list</alias>
<command>ps -e -o pid,uname,command</command>
<frequency>30</frequency>
</localfile>
</ossec_config>
2. Restart the Wazuh agent to apply the changes:
Wazuh server
You have to configure the following steps on the Wazuh server to create a rule
Wazuh server:
<group name="ossec,">
<rule id="100050" level="0">
<if_sid>530</if_sid>
<match>^ossec: output: 'process list'</match>
<description>List of running processes.</description>
<group>process_monitor,</group>
</rule>
Attack emulation
On the monitored Ubuntu endpoint, run nc -l 8000 for 30 seconds.
Visualize the alerts
You can visualize the alert data in the Wazuh dashboard. To do this, go to
the Security events module and add the filters in the search bar to query the
alerts.
rule.id:(100051)
Blocking a known malicious actor
In this use case, we demonstrate how to block malicious IP addresses from
accessing web resources on a web server. You set up Apache web servers on
Ubuntu and Windows endpoints, and try to access them from an RHEL
endpoint.
This case uses a public IP reputation database that contains the IP addresses
addresses that have been flagged as malicious. The RHEL endpoint plays the
role of the malicious actor here, therefore you add its IP address to the
reputation database. Then, configure Wazuh to block the RHEL endpoint from
accessing web resources on the Apache web servers for 60 seconds. It’s a way
RHEL 9.0 which you use Wazuh CDB list capability to flag its IP
address as malicious.
Perform the following steps to install an Apache web server and monitor its logs
8. Check the status of the Apache service to verify that the web server is
running:
10.Use the curl command or open http://<UBUNTU_IP> in a browser to view the
13. <localfile>
14. <log_format>syslog</log_format>
15. <location>/var/log/apache2/access.log</location>
16. </localfile>
Perform the following steps to install and configure an Apache web server.
3. Unzip the contents of the Apache web server zip file and copy the
5. > C:\Apache24\bin>httpd.exe
The first time you run the Apache binary a Windows Defender Firewall
pops up.
and verify the installation. Also, verify that this URL can be reached from
Perform the steps below to configure the Wazuh agent to monitor Apache web
server logs.
1. Add the following to C:\Program Files (x86)\ossec-agent\ossec.conf to configure
2. <localfile>
3. <log_format>syslog</log_format>
4. <location>C:\Apache24\logs\access.log</location>
5. </localfile>
You need to perform the following steps on the Wazuh server to add the IP
address of the RHEL endpoint to a CDB list, and then configure rules and
active response.
command below:
2. <group name="attack,">
3. <rule id="100100" level="10">
4. <if_group>web|attack|attacks</if_group>
5. <list field="srcip" lookup="address_match_key">etc/lists/blacklist-alienvault</list>
6. <description>IP address found in AlienVault reputation database.</description>
7. </rule>
8. </group>
10. <ossec_config>
11. <ruleset>
12. <!-- Default ruleset -->
13. <decoder_dir>ruleset/decoders</decoder_dir>
14. <rule_dir>ruleset/rules</rule_dir>
15. <rule_exclude>0215-policy_rules.xml</rule_exclude>
16. <list>etc/lists/audit-keys</list>
17. <list>etc/lists/amazon/aws-eventnames</list>
18. <list>etc/lists/security-eventchannel</list>
19. <list>etc/lists/blacklist-alienvault</list>
20.
21. <!-- User-defined ruleset -->
22. <decoder_dir>etc/decoders</decoder_dir>
23. <rule_dir>etc/rules</rule_dir>
24. </ruleset>
25.
26. </ossec_config>
<ossec_config>
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>100100</rules_id>
<timeout>60</timeout>
</active-response>
</ossec_config>
<ossec_config>
<active-response>
<command>netsh</command>
<location>local</location>
<rules_id>100100</rules_id>
<timeout>60</timeout>
</active-response>
</ossec_config>
1. Access any of the web servers from the RHEL endpoint using the
value and execute the following command from the attacker endpoint:
2. $ curl http://<WEBSERVER_IP>
The attacker endpoint connects to the victim's web servers the first time. After
the first connection, the Wazuh active response module temporarily blocks any
You can visualize the alert data in the Wazuh dashboard. To do this, go to
the Security events module and add the filters in the search bar to query the
alerts.
Ubuntu - rule.id:(651 OR 100100)
Windows - rule.id:(657 OR 100100)
case, we show how Wazuh detects brute-force attacks on RHEL and Windows
endpoints.
Perform the following steps to configure the Ubuntu endpoint. This allows
endpoints.
1. On the attacker endpoint, install Hydra and use it to execute the brute-
force attack:
the IP address of the Windows endpoint and run the command below:
You can visualize the alert data in the Wazuh dashboard. To do this, go to
the Security events module and add the filters in the search bar to query the
alerts.
Windows - rule.id:(60122 OR 60204)