About Jesus Linares

This author has not yet filled in any details.
So far Jesus Linares has created 4 blog entries.

Wazuh v2.1.0 released!

Today we are pleased to announce the release of Wazuh v2.1.0. We have added new features and fixed several bugs.

You can find all the details in our release notes and changelog file. Additionally, here is brief explanation of the new features:

Agent anti flood protection

Agents now include a mechanism to control event floods, avoiding outages, dropping events, or impact in network performance. We have seen in the past that, without any throughput control, an agent could get to collect and send incredibly high number of events per second (EPS), leading to unexpected outages or undesired situations.

For example, if an agent is reading noisy firewall […]

By |August 17th, 2017|0 Comments

Using OSINT to create CDB lists and block malicious IPs

Today’s post is about using Open Source Intelligence, OSINT, and CDB lists. Let’s start with the latter. If you have been using Wazuh for a while, you, for instance, might be receiving some alerts related to legitime users and might be wondering how to ignore them. Perfect example for CDB lists. Another one, and this is the case we are going to focus on, you might have a reliable blacklist containing malicious IPs that you want to block. Both are good scenarios for using CDB lists. What are they? They are a list of values that are checked against a […]

By |June 22nd, 2017|0 Comments

Blocking attacks with Active Response

In this post, we will discuss how to block an attack using the active response feature in OSSEC. Active response allows OSSEC to run commands on an agent in response to certain triggers. In this example we simulate a SSH Brute Force attack.

Detecting the attack

First of all, we need to know when to execute the response. We can use one of the following options:

  • Rule ID: The response will be executed on any event with the defined ID.
  • Rule group: The response will be executed on any event in the defined group.
  • Level: The response will be executed on any event with this level or higher.

In […]

By |May 19th, 2016|0 Comments

Updating your ruleset automatically

The ruleset is one of the most important parts of OSSEC. Thanks to the ruleset, OSSEC is able to detect attacks, intrusions, software misuse, configuration problems, application errors, malware, rootkits, etc.

At this time, there are two ways to update the ruleset: wait for a new OSSEC release or review the official repository for new rules, decoders and rootchecks. Wazuh is very aware of this, so we work every day to improve it by updating out-of-the-box rules provided by OSSEC and including new ones. All these changes are published in our repository of rules. I encourage you to visit […]

By |April 25th, 2016|0 Comments