Wazuh v2.1.0 released!

Today we are pleased to announce the release of Wazuh v2.1.0. We have added new features and fixed several bugs.

You can find all the details in our release notes and changelog file. Additionally, here is brief explanation of the new features:

Agent anti flood protection

Agents now include a mechanism to control event floods, avoiding outages, dropping events, or impact in network performance. We have seen in the past that, without any throughput control, an agent could get to collect and send incredibly high number of events per second (EPS), leading to unexpected outages or undesired situations.

For example, if an agent is reading noisy firewall […]

By |August 17th, 2017|0 Comments

Wazuh v2.0.1 released! Includes new rules for Docker, Jenkins, MongoDB, AWS S3, Windows Defender and more.

I am happy to announce that Wazuh v2.0.1 has just been released!

As many of you already know, we released Wazuh v2.0 back in April this year. It included the integration of our forked version of OSSEC with OpenSCAP and Elastic Stack 5. In addition, we improved some core capabilities for infrastructure security monitoring, and developed a new WUI in the form of a Kibana app. You can learn more here: https://blog.wazuh.com/wazuh-v2-0-released

This new released, Wazuh v2.0.1, come with additional rules and decoders as well as other interesting changes in the core code and the API.

By |July 26th, 2017|0 Comments

Wazuh workshop at Bsides Chicago – July 15th 2017

Wazuh is sponsoring the Bsides Security Conference in Chicago, taking place on Saturday July 15th, 2017. Come and say hello! It is a great oportunity to meet part of the team and learn more about Wazuh.

We will be doing a 3-hour workshop. Check the content below. Looking forward to seeing you all.

Workshop

Host-based security monitoring has become increasingly important as the number and severity of threats keeps growing. In addition, network security monitoring tools are now harder to deploy, and not as efficient as they used to be.

Another driver for the […]

By |July 14th, 2017|0 Comments

Using OSINT to create CDB lists and block malicious IPs

Today’s post is about using Open Source Intelligence, OSINT, and CDB lists. Let’s start with the latter. If you have been using Wazuh for a while, you, for instance, might be receiving some alerts related to legitime users and might be wondering how to ignore them. Perfect example for CDB lists. Another one, and this is the case we are going to focus on, you might have a reliable blacklist containing malicious IPs that you want to block. Both are good scenarios for using CDB lists. What are they? They are a list of values that are checked against a […]

By |June 22nd, 2017|0 Comments

Wazuh APP overview using a brute-force attack example.

The Wazuh app runs on top of Kibana providing a visualization layer not only for alert management but also for monitoring the configuration and status of manager and agents. Easy way to browse through your alerts and to get a quick view on the system status. In this article, we are showing the Wazuh app using a simple use case, getting information about a brute-force attack.

I have built a quick and simple lab environment from scratch. It consist of  just one server (a vm), where I have installed the Wazuh manager and use the agent that comes out-of-the-box with it […]

By |June 15th, 2017|0 Comments

Monitoring USB drives in Windows using Wazuh

The goal of this article is to explain how to generate an alert when a USB storage device is connected to a Windows system that is being monitored by Wazuh. Additionally, you will learn how to create a list of authorized devices, being able to detect an unauthorized intrusion.

 

Kibana Dashboard

 

Prerequisites

  • Wazuh 2.0.
  • This use case is prepared for Windows 10 and Windows Server 2016. For other Windows versions you can follow the same process, however check the number of the event generated (in our case 6416, as seen later in this article) […]
By |May 31st, 2017|0 Comments

Using Wazuh to monitor Sysmon events

Being a system security admin is not easy nowadays. Every day there are new vulnerabilities that put in jeopardy the integrity of our environments. Mark Russinovich, currently CTO of Microsoft Azure, was one of the developers who founded and launched Winternals, a subdivision of Microsoft. It offers technical resources and utilities to manage, diagnose, troubleshoot and monitor a Microsoft Windows environment. Sysinternals, a toolkit provided by Winternals, contains, among other great tools, Sysmon, an antimalware tool for advanced users.

Sysmon is a command line tool which allows us to monitor and track processes taking place in our computers. With the […]

By |May 30th, 2017|0 Comments

Wazuh’s OpenSCAP component talk at Linux Days conference, April 29th in Graz, Austria

We thank our friend and contributor Theresa Meiksner for writing and sharing this post!

Wazuh has now integrated OpenSCAP into the brand-new v2.0 release.

I’m presenting this new release on Saturday, April 29th 2017, as part of the Linux Days conference in Graz, Austria. Come and see my talk to find out why Wazuh has integrated OpenSCAP as part of Wazuh v2.0 and how the results of the OpenSCAP definitions and checks can be viewed in your Wazuh environment.

Aligning the company’s infrastructure to comply with specific compliance-requirements usually […]

By |April 27th, 2017|0 Comments

Wazuh v2.0 released!

Hi everyone,

I am happy to announce that Wazuh v2.0 has just been released!

As many of you already know, it includes the integration of our forked version of OSSEC with OpenSCAP and Elastic Stack 5. In addition, we improved some core capabilities for infrastructure security monitoring, and developed a new WUI in the form of a Kibana app.

Here are the highlights of the new release:

Log analysis and management new features

  • Modified OSSEC analysis engine to support dynamic data analysis, being able to extract as many fields from a raw log as […]
By |April 24th, 2017|0 Comments

Blocking attacks with Active Response

In this post, we will discuss how to block an attack using the active response feature in OSSEC. Active response allows OSSEC to run commands on an agent in response to certain triggers. In this example we simulate a SSH Brute Force attack.

Detecting the attack

First of all, we need to know when to execute the response. We can use one of the following options:

  • Rule ID: The response will be executed on any event with the defined ID.
  • Rule group: The response will be executed on any event in the defined group.
  • Level: The response will be executed on any event with this level or higher.

In […]

By |May 19th, 2016|0 Comments