CyberToolGuadrian

  In the previous post we saw how we can install Suricata in Ubuntu, in this post let’s see how we can use Suricata to block requests from Malicious IP’s. You can find Suricata installation guide  here . Before stating we need python and pip installed in the machine, sudo apt-get update sudo apt-get install python3 sudo apt-get install python3-pip Once you have successfully installed python and pip, install requests using pip. pip install requests Now head to  AbuseIPDB  and create an account (free account will work for test purposes, use can go for paid accounts if required) and create an API key and copy the key. Save the below python code into a file and name it as maliciousIPs.py import requests import json def update_suricata_rules ( malicious_ips ): with open ( '/var/lib/suricata/rules/block_ips.rules' , 'a' ) as rule_file: sid = 100001 for ip in malicious_ips: rule_file.write( f'drop ip {ip} any -> any any (msg:...

In the previous article’s we saw installation of Suricata and Wazuh in Ubuntu, now let’s see how we can send Suricata logs to Wazuh using wazuh agents. Let’s first check the status of Suricata, sudo systemctl status suricata Now that suricata is running, let us deploy wazuh agents on Suricata machine. Using the Wazuh Dashboard, deploy agent give the wazuh machine IP in the Server address and name the agent and run the generated command in the Suricata machine. Copy the generated commands and run the command in the suricata machine, Once the agent is installed reload and start the agent. Once the agent starts we can view the agent information in the wazuh dashboard. Once the agent is successfully deployed, change the directory to /var/ossec/etc and edit ossec.conf Add the suricata eve.json file path as shown below. In the suricata machine, download and extract the Emerging Threats Suricata ruleset cd /tmp/ && curl -LO https://rules.emergingthreats.net/open/suricata-6.0.8/emergi...