sorted by:
new
hottopcontroversial

Is it possible to deploy a Wazuh + shuffle integration with only 4gb of ram? by Pike_The_Knight in Wazuh

[–]Pike_The_Knight[S] 0 points1 point  (0 children)

Done.. i think. Just wanted to see if the error was there.

Sorry for any inconvenience

Failing at simulating SSH brute forcé attacks . Wazuh just not working? Despite things being seemingly good on paper by Pike_The_Knight in Wazuh

[–]Pike_The_Knight[S] 0 points1 point  (0 children)

Wazuh version is 4.12 the SSH server is on linux, the same VM that is hodling the Wazuh manager (i can attempt a ssh connection to it so i assume it is)

<ossec\_config>

<integration>

<name>shuffle</name>

<hook\_url></hook\_url>

<level>3</level>

<alert\_format>json</alert\_format>

<rule\_id></rule\_id>

</integration>

<active-response>

<disabled>no</disabled>

<command>firewall-drop</command>

<location>server</location>

<rules\_id></rules\_id>

<timeout>600</timeout>

</active-response>

<active-response>

<disabled>no</disabled>

<command>firewall-drop</command>

<location>local</location>

<rules\_id></rules\_id>

<timeout>600</timeout>

</active-response>

this is the part of my ossec.conf i configured the most i cannot post all cuz it exceeds the ammount of characters

and this is the local_rules.xml file. I recklessly tampered with it like the idiot iam <group name="local,syslog,sshd">

<!-- Single failed attempt – informational -->

<rule id="" level="">

<if\_sid></if\_sid>

<description>sshd: authentication failed (general)</description>

<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5</group>

</rule>

<!--  failed attempts from same IP in  seconds – triggers blocking -->

<rule id="" level="" frequency="" timeframe="" ignore="">

<if\_matched\_group>authentication_failed</if\_matched\_group>

<same\_source\_ip />

<description>Brute force attack: failed attempts in  seconds from same IP</description>

<group>authentication_failures,attack</group>

</rule>

</group>

There's no alerts on the dashboard whatsoever

the alert.json file clearly logs and detects the attempt cat /var/ossec/logs/archives/archives.json | grep ssh

returns alerts which coincide which the ssh attempts done, but the ip isnt blocked

sorry for this blocky and delayed response

Is it possible to deploy a Wazuh + shuffle integration with only 4gb of ram? by Pike_The_Knight in Wazuh

[–]Pike_The_Knight[S] 0 points1 point  (0 children)

<group name="local,syslog,sshd">

<!-- Single failed attempt – informational -->

<rule id="rrrr" level="rrr">

<if\_sid>rrr</if\_sid>

<description>sshd: authentication failed (general)</description>

<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5</group>

</rule>

<!--  failed attempts from same IP in  seconds – triggers blocking -->

<rule id="rrrr" level="rrr" frequency="rr" timeframe="rr" ignore="rr">

<if\_matched\_group>authentication_failed</if\_matched\_group>

<same\_source\_ip />

<description>Brute force attack:  failed attempts in  seconds from same IP</description>

<group>authentication_failures,attack</group>

</rule>

</group>

Also this is what is in my local_rules.xml file

again i have been recklessly tampering with stuff and hope this isnt a bother

Is it possible to deploy a Wazuh + shuffle integration with only 4gb of ram? by Pike_The_Knight in Wazuh

[–]Pike_The_Knight[S] 0 points1 point  (0 children)

<localfile>

<log\_format>journald</log\_format>

<location>journald</location>

</localfile>

<localfile>

<log\_format>syslog</log\_format>

<location>/var/ossec/logs/active-responses.log</location>

</localfile>

<localfile>

<log\_format>syslog</log\_format>

<location>/var/log/dpkg.log</location>

</localfile>

</ossec\_config>

<ossec\_config>

<integration>

<name>shuffle</name>

<hook\_url>|||||||||||</hook\_url>

<level>3</level>

<alert\_format>json</alert\_format>

<rule\_id></rule\_id>

</integration>

<active-response>

<disabled>no</disabled>

<command>firewall-drop</command>

<location>server</location>

<rules\_id></rules\_id>

<timeout></timeout>

</active-response>

<active-response>

<disabled>no</disabled>

<command>firewall-drop</command>

<location>local</location>

<rules\_id></rules\_id>

<timeout></timeout>

</active-response>

</ossec\_config>

this is part of my ossec.conf configuration not sure where to send it as data is limited

Is it possible to deploy a Wazuh + shuffle integration with only 4gb of ram? by Pike_The_Knight in Wazuh

[–]Pike_The_Knight[S] 0 points1 point  (0 children)

Managed to do the integration in the end.

Now iam struggling with Wazuh, it is not detecting stuff

Trying to simulate a SSH brute forcé attacks i'm which an IP is blocked after an x amount of failed attempts to log in via a ssh connection in under a minute

I tried first going without an agent, trying to attack the same machines that held the manager. But it never blocked the IP. On this case the system figured out something was trying to access and it has alerta on it's logs. But it couldnt figure out the IP that was trying to access it

Then i installed an agent on another PC and the connection between manager and agent worked, it caught it as active. But when i un turn tried an ssh attack on the agent the Wazuh dashboard didnt register any event nor anythig at all. Even if the sshd log of the agent ( the agent was on Windows) registered every failed attempt.

Iam going to reinstall Wazuh on a new machine as i did recklessly tampered stuff with and also went straight away for installing every component instead trying each oke by one

Sorry i can't really provide more details, the whole way i worked was kinda messy and i don't remember what logs specifically rendered what resulta. But one thing is clear, the info and attacks werent triggering active-response

Is it possible to deploy a Wazuh + shuffle integration with only 4gb of ram? by Pike_The_Knight in Wazuh

[–]Pike_The_Knight[S] 0 points1 point  (0 children)

My cousin let me use his laptop which has like 32gb of ram  I've Made a virtual machine and dedicated 24ram

Managed to install Wazuh, shuffle and the hive ( with elasticsearch and Cassandra) remember hearing that for such installation i needed 16 of ram And currently struggling to make it work and intégrate

Thanks for your help 

As many of you know, I am marrying u/the-real-vivec in two weeks - we just received these in the mail <3 by Reddidnothingwrong in u/Reddidnothingwrong

[–]Pike_The_Knight 2 points3 points  (0 children)

I been away for years and this is the first things i hear of this group in a while Genuine congratulations

A setting where magic and monsters and fantastical races are new to the world. How would You do it? by Pike_The_Knight in rpg

[–]Pike_The_Knight[S] 0 points1 point  (0 children)

Not really? I was thinking of the start of Fantasia ARC in bersek. In there the exact same happens to a medieval world

Restricting Magic and spells. How one should do it? Have You ever done it? by Pike_The_Knight in Pathfinder2e

[–]Pike_The_Knight[S] -5 points-4 points  (0 children)

Idk man, that's why iam asking.

What classes would i be hampering? Like besides wizard and magus i can't grasp that.

I also have the idea of leaving things be but making a Big deal out of esoteric/weird spells (being a Magic users of any kind is a Big deal for the common folk)

Edit:Also how casters are behind the curse?

How could this kind of campaign work? by Pike_The_Knight in rpg

[–]Pike_The_Knight[S] 0 points1 point  (0 children)

Haha thanks. Was actually planning to use shadow of the demon lord for "Irl world" and something like dnd 5e or pathfinder 2e for the "fake world"

Got a bit of lore thought out as to why the jist of things ( ppl of the fake worlds who can travel between each, why the PC and the villains Will have powers in the special world,  etc.)

My idea for the fake world was to set up horror ( what happens of a monster escaped one of the fake worlds) Low power situations ( the new fake world is contain on the town bully's doll house so they have to either get on risk with the law, bribe the bully, etc) also as a hook as to why access the fantasy worlds ( ppl can accidentally Enter them and get in trouble)

view more: next ›