CDB Lists Configuration – Server Management

3 min read

1. What are CDB Lists? #

CDB lists in Argus allow you to create custom databases that can be referenced in rules to determine whether certain data (such as an IP address or a hostname) matches an entry in the list. This enables dynamic and scalable rule management by offloading large datasets into external lists.

Use Cases for CDB Lists:

  • Blacklisting or whitelisting IP addresses.
  • Managing threat intelligence feeds (e.g., bad actor IPs or malicious domains).
  • Handling large lists of known good or bad indicators (e.g., file hashes, URLs, etc.).

2. Location of CDB Lists #

The CDB lists are stored in the directory:

/var/ossec/etc/lists/

You can create multiple CDB list files within this directory. Each file contains entries that Argus can reference while evaluating rules.

3. Creating a CDB List #

To create a new CDB list, follow these steps:

  • Create a new file under the /var/ossec/etc/lists/ directory, for example:

sudo nano /var/ossec/etc/lists/blacklist_ips.txt

  • Add the list entries. Each line represents an entry (e.g., IP address, domain, etc.). For example, to block specific IPs:

192.168.1.10

203.0.113.25

172.16.45.78

4. Referencing CDB Lists in Rules #

After creating the CDB list, you can reference it in Argus rules to dynamically match logs against the list.

Here’s how you can modify a rule to use a CDB list:

<rule id=”100005″ level=”12″>

  <field name=”srcip”>$(blacklist_ips)</field>

  <description>Access from blacklisted IP address</description>

  <group>blacklist, security_event</group>

  <pci_dss>10.2.5</pci_dss>

</rule>

In this rule:

  • field name=”srcip”: The source IP from the log is being compared.
  • $(blacklist_ips): The blacklist_ips CDB list is referenced. If the source IP from the log matches any entry in the blacklist_ips CDB list, this rule will trigger.

5. Managing CDB Lists #

You can create, modify, or delete entries from the CDB lists as needed. To modify an existing CDB list, simply edit the corresponding file under /var/ossec/etc/lists/.

For example, to remove or add an IP address to a blacklist, just edit the blacklist_ips.txt file:

sudo nano /var/ossec/etc/lists/blacklist_ips.txt

Then, add or remove IPs as necessary, and save the file.

6. Testing and Applying CDB Lists #

After configuring a CDB list and referencing it in a rule:

  • Restart the Argus manager to apply the changes:

sudo systemctl restart argus-manager

  • Monitor alerts: Check the /var/ossec/logs/alerts/alerts.log file to see if the rule triggers based on entries in the CDB list.

7. CDB List Types #

CDB lists can be used with various types of fields in logs:

  • IP addresses: You can blacklist or whitelist specific IPs.
  • Domains: Handle domain-based indicators for phishing or malware sites.
  • Hashes: Track file hashes for known malware or trusted files.

Example of a domain-based CDB list:

badsite.com

malicious-domain.net

phishing.com

8. Integrating Threat Intelligence Feeds #

CDB lists are particularly useful for integrating external threat intelligence feeds. You can regularly update your CDB lists with IPs or domains from external threat feeds and apply them in your Argus rules.
Example: If you have a daily feed of malicious IPs, you can configure a script to automatically update the blacklist_ips.txt CDB list with the latest data.

What are your Feelings

Leave a Reply

Your email address will not be published. Required fields are marked *