# Wazuh POC - Detecting a Known Malicious IP 05-22-2025 Tags: #Wazuh #SIEM #Linux --- **Table of Contents** - [[#Objective|Objective]] - [[#The Setup|The Setup]] - [[#Set Up: Apache on Linux Mint|Set Up: Apache on Linux Mint]] - [[#Configure the Wazuh agent (on the Victim Web Server)|Configure the Wazuh agent (on the Victim Web Server)]] - [[#Wazuh Server Configuration|Wazuh Server Configuration]] - [[#Wazuh Server Configuration#Download the utilities and configure the CDB list|Download the utilities and configure the CDB list]] - [[#Wazuh Server Configuration#Wazuh-Server: Configure the Active Response module to block the malicious IP address|Wazuh-Server: Configure the Active Response module to block the malicious IP address]] - [[#Attack emulation|Attack emulation]] - [[#Visualize the alerts|Visualize the alerts]] - [[#References|References]] --- ## Objective This is part of a hands-on series I’m doing to improve my skills in detection engineering, SIEM customization, and incident response. I'm using my homelab to test how well Wazuh can detect and respond to real-world threats — specifically, known malicious IPs. The goal here is to simulate a basic attack scenario and practice building a detection and response workflow from scratch. I want to understand how custom rules, external threat intel (like IP reputation feeds), and automated blocking (via Wazuh’s Active Response) all work together in a SIEM pipeline. Inspired by [Wazuh’s POC guide](https://documentation.wazuh.com/current/proof-of-concept-guide/block-malicious-actor-ip-reputation.html), this exercise walks through how to block a malicious IP from accessing my web server using a **CDB IP reputation list** and Wazuh’s **Active Response** module. In short, I’m simulating an attacker trying to access my Apache server, feeding that attacker's IP into a custom blocklist, and having Wazuh take automated action based on log activity and threat intel. Here’s what I’ll be doing step by step: 1. Set up an Apache web server 2. Configure Wazuh agent to monitor `access.log` 3. Download and convert a CBD list to `.cdb` format 4. Create a custom Wazuh rule to detect the malicious IP 5. Configure Wazuh-Manager to load the new blacklist 6. Enable Active Response to temporarily block the IP ## The Setup - Homelab virtualized using **Proxmox** - Isolated network: `10.0.10.0/24` - **SIEM Stack:** - `Wazuh-Manager` for alert rules and Active Response - `Wazuh-Indexer` for backend log storage - `Graylog` writing data into Wazuh-Indexer - `Fluent-bit` reading Wazuh JSON logs and piping them to Graylog - **Endpoints:** - Linux Mint 21 web server (Apache 2.4.52) with Wazuh agent installed - Kali Linux attacker box ## Set Up: Apache on Linux Mint I'm setting up a basic Apache web server on Linux Mint 21. 1. Update local packages and install the Apache web server: `$ sudo apt update` `$ sudo apt install apache2` 2 . Check the status of the Apache service to verify that the web server is running: $ sudo systemctl status apache2 Now that I'm done, I can access the web server from my attacking Kali box, as shows below: ![[poc_victim_webpage.png]] ## Configure the Wazuh agent (on the Victim Web Server) Let's go ahead an add a rule to monitor our access logs on this machine. Hypothetically, we could add this rule to Wazuh-Manager directly, via a group, but for simplicity's sake, I'm just going to add the rule directly to the agent config. Add the following to `/var/ossec/etc/ossec.conf` file to configure the Wazuh agent and monitor the Apache access logs: ``` <localfile> <log_format>syslog</log_format> <location>/var/log/apache2/access.log</location> </localfile> ``` Restart the Wazuh agent to apply the changes: `$ sudo systemctl restart wazuh-agent` ## Wazuh Server Configuration I'm using the FireHOL list because it's a widely respected community-driven source of known malicious IPs, frequently updated, and in a format that's easy to adapt into Wazuh's CDB system. This helps simulate real-world threat intel integration. Wazuh requires IP reputation lists to be in `.cdb` format for efficient lookup during rule evaluation. Converting ensures fast IP matching when alerts are processed. Let's add the list to Wazuh now ### Download the utilities and configure the CDB list 1. Make sure you are updated and have wget `$ sudo yum update && sudo yum install -y wget` 2. Download the Firehol IP reputation database: `$ sudo wget https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset -O /var/ossec/etc/lists/firehol_level1.netset` 3. Add the IP address of the attacker (the Kali box) to the new IP reputation database. Replace `<ATTACKER_IP>` with the specific IP. `$ sudo echo "<ATTACKER_IP>" >> /var/ossec/etc/lists/firehol_level1.netset` 4. Download the Conversion python script from Wazuh. `$ sudo wget https://wazuh.com/resources/iplist-to-cdblist.py -O /tmp/iplist-to-cdblist.py` 5. Convert the `firehol_level1.netset` file to a `.cdb` format using the previously downloaded script: `$ sudo /var/ossec/framework/python/bin/python3 /tmp/iplist-to-cdblist.py /var/ossec/etc/lists/firehol_level1.netset /var/ossec/etc/lists/blacklist-firehol_level1` 6. *Optional*: Remove the `firehol_level1.netset` file and the `iplist-to-cdblist.py` script, as they are no longer needed: `$ sudo rm -rf /var/ossec/etc/lists/firehol_level1.netset` `$ sudo rm -rf /tmp/iplist-to-cdblist.py` 7. Set your permissions `$ sudo chown wazuh:wazuh /var/ossec/etc/lists/blacklist-firehol_level1` ### Wazuh-Server: Configure the Active Response module to block the malicious IP address Now we need to set up the rule configure Active response to match the source IP of our Kali box based on the list that we just added. We also need to load the new list into Wazuh-Manager, for use. 1. Add a new custom rule to trigger the [active response](https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html) script, in `/var/ossec/etc/rules/local_rules.xml` on the Wazuh-server ``` <group name="attack,"> <rule id="100100" level="10"> <if_group>web|attack|attacks</if_group> <list field="srcip" lookup="address_match_key">etc/lists/blacklist-firehol_level1</list> <description>IP address found in the Firehol_level1 reputation database.</description> </rule> </group> ``` 2. Update the Wazuh server `/var/ossec/etc/ossec.conf` configuration file and add the `etc/lists/blacklist-firehol_level1` list to the `<ruleset>` section: ``` <ossec_config> <ruleset> <!-- Default ruleset --> <decoder_dir>ruleset/decoders</decoder_dir> <rule_dir>ruleset/rules</rule_dir> <rule_exclude>0215-policy_rules.xml</rule_exclude> <list>etc/lists/audit-keys</list> <list>etc/lists/amazon/aws-eventnames</list> <list>etc/lists/security-eventchannel</list> <list>etc/lists/blacklist-firehol_level1</list> <!--Added here--> <!-- User-defined ruleset --> <decoder_dir>etc/decoders</decoder_dir> <rule_dir>etc/rules</rule_dir> </ruleset> </ossec_config> ``` 3. Enable the Active Response block to the Wazuh server `/var/ossec/etc/ossec.conf` file: >The `firewall-drop` command integrates with the Ubuntu local iptables firewall and drops incoming network connection from the attacker endpoint for 60 seconds. ``` <ossec_config> <active-response> <disabled>no</disabled> <command>firewall-drop</command> <location>local</location> <rules_id>100100</rules_id> <timeout>60</timeout> </active-response> </ossec_config> ``` ## Attack emulation Now it's time to try out the new rule. Try to access the web URL with the Kali box at the attack_ip that you added in the above rules, or use `curl` to pull the page as well. Replace `<WEBSERVER_IP>` with the appropriate value and execute the following command from the attacker endpoint: $ curl http://<WEBSERVER_IP> Kali will connect to the page for the first time but after the first connection, if you try to curl again or if you refresh the webpage, the Wazuh Active Response module temporarily blocks any successive connection to the web server for 60 seconds. ## Visualize the alerts If you're using Wazuh's Dashboard, you should be able to visualize the alert data. I'm using Graylog, so I'll check there, search specifically for `rule.id:100100` ![[poc_attack_visualization.png]] ## In Conclusion **In conclusion**, this proof of concept successfully demonstrated how Wazuh can be configured to detect and respond to known malicious IPs by integrating external threat intelligence, creating custom detection rules, and using Active Response to block the attacker. This setup mimics a real-world scenario where organizations ingest public IP reputation feeds to automate threat mitigation — a crucial component of modern SOC workflows. ### Improvements While effective, this exercise had some limitations: it used a static list that isn’t automatically updated, and the temporary 60-second block might not reflect a realistic response window in production environments. To improve this setup, I could automate the ingestion and conversion of updated threat intel feeds, implement persistent or escalated blocking mechanisms, and correlate attacker behavior across multiple log sources for deeper context. Expanding this exercise could involve integrating MISP or OpenCTI for richer IOC feeds, testing with multiple attack vectors, or chaining alerts across endpoints to simulate a coordinated response. --- ## References >Wazuh: *Blocking a known malicious actor*: https://documentation.wazuh.com/current/proof-of-concept-guide/block-malicious-actor-ip-reputation.html >Wazuh Active Response Documentation: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html >Github Firehol IP sets: https://github.com/firehol/blocklist-ipsets/blob/master/README.md#list-of-ipsets-included >Firehol_level1 IP set: https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset