Jean - I am triggering the built-in Malware security event (ID 2000000) and a custom Command-and-Control security event (ID 2000001). This is all done on the Security Onion master node with Elastalert. The Elastalert rules are set up to call a python script which triggers the security event via PacketFence's API.
I can't help with Wazuh. I have very little experience with it -- none of which involve the active response capability. Max -- Max McGrath <http://www.linkedin.com/in/max-mcgrath-a299124b> Infrastructure and Security Manager Carthage College 262-551-6666 mmcgr...@carthage.edu On Mon, Apr 13, 2020 at 12:36 AM Jean Matar <jean.ma...@net.usj.edu.lb> wrote: > Dear Max, > > > > Thank you for your reply ! > > > > Your scenario makes a lot of sense and is similar to what I intend to do > (except the active response part). Can you please provide an example of the > security events that are being triggered in PF? Are they configured through > the SO API ? > > > > To explain myself in a better way, we intend of using the active response > feature of wazuh ( > https://documentation.wazuh.com/3.12/user-manual/capabilities/active-response/index.html?highlight=response > <https://urldefense.com/v3/__https://documentation.wazuh.com/3.12/user-manual/capabilities/active-response/index.html?highlight=response__;!!DWqe1SB0EKY-!fMGkVdjr2ud6pJVt759E02T7Ttp2VAzdSEGkRzW3nAXHsjyTNnaDKJoxK45GfNx_N-o$>) > that will allow us the trigger a script on one or several machines. The > idea for example would be to change a certain policy whenever a critical > alert is being triggered on the network. (example adding a WMI integrity > check to the 802.1x authentication) > > > > Ideally if that process can be done through command line I should be able > to write it in a script and trigger that through wazuh. > > > > I hope you could help me in any way, I look forward to hearing back from > you > > > > Best Regards > > > > Jean Matar > > Cybersecurity Masters Student – USJ > > jean.ma...@net.usj.edu.lb > > > > Sent from Mail > <https://urldefense.com/v3/__https://go.microsoft.com/fwlink/?LinkId=550986__;!!DWqe1SB0EKY-!fMGkVdjr2ud6pJVt759E02T7Ttp2VAzdSEGkRzW3nAXHsjyTNnaDKJoxK45Gkits2CA$> > for Windows 10 > > > > *From: *Max McGrath <mmcgr...@carthage.edu> > *Sent: *Monday, April 13, 2020 3:23 AM > *To: *ML PF <packetfence-users@lists.sourceforge.net> > *Cc: *Jean Matar <jean.ma...@net.usj.edu.lb> > *Subject: *Re: [PacketFence-users] Packetfence integration with Wazuh > > > > Jean - > > > > I'm not sure if this fits your use case or not, but we run Security Onion > (SO) and PacketFence (PF) on our network and have them work together. > > > > SO comes with the ELK stack built in. I am currently using Elastalert > (part of Elasticsearch) to trigger security events in PF via its API. I > currently have alerts based on IDS signatures and Palo Alto traffic data > (mainly URL Filtering alerts). > > > > I do use Wazuh, but am not currently triggering any PF security events > based on its data. SO has the Wazuh manager installed by default and you > can easily add Wazuh agents to systems on your network. This may be worth > a look (unless I'm completely missing what your goal is...). > > > > Max > > -- > Max McGrath > <https://urldefense.com/v3/__http://www.linkedin.com/in/max-mcgrath-a299124b__;!!DWqe1SB0EKY-!fMGkVdjr2ud6pJVt759E02T7Ttp2VAzdSEGkRzW3nAXHsjyTNnaDKJoxK45GIJTm5mo$> > Infrastructure and Security Manager > Carthage College > 262-551-6666 > mmcgr...@carthage.edu > > > > > > On Sat, Apr 11, 2020 at 9:57 PM Jean Matar via PacketFence-users < > packetfence-users@lists.sourceforge.net> wrote: > > Hello all ! > > > > My name is jean and i am a cyber security master's student. as a project > we were assigned the task of checking if we could integrate wazuh ( > https://wazuh.com/ > <https://urldefense.com/v3/__https:/wazuh.com/__;!!DWqe1SB0EKY-!Z6B5xvB5nrnU325utUAQu4RUyj7a8DJTkVKJieSxLBqrwX3BCpagk0QVOM1vUXkqBVw$>), > Wazuh is a free, open source and enterprise-ready security monitoring > solution for threat detection, integrity monitoring, incident response and > compliance.) with packet fence as a way to check for anomalies on a device > upon registration , and for corrective actions from the siem solution on to > packet fence. > > > > Does anyone have any information regarding the matter and if it is > possible ? > > > > Any help is much appreciated ! > > > > Thank you for your assistance > > > > Regards > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!DWqe1SB0EKY-!Z6B5xvB5nrnU325utUAQu4RUyj7a8DJTkVKJieSxLBqrwX3BCpagk0QVOM1v6RflQMA$ > <https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!DWqe1SB0EKY-!Z6B5xvB5nrnU325utUAQu4RUyj7a8DJTkVKJieSxLBqrwX3BCpagk0QVOM1v6RflQMA$> > > >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
