Action to block IP address


(Blason) #1

Hi Team,

Wondering if graylog can send or execute commands through API to third party system? I mean as an action I can fire up APT command to my firewall and have that firewall block IP?

If yes can someone please guide me how to?


(Jan Doberstein) #2

It depends on your firewall, but what I know:

  • create a stream that will contain only the messages that you want to forward to the firewall
  • create http output for that stream
  • now use processing pipelines to filter out the messages you need and route them into the first created stream

You might need to heavily modify the messages in the stream with the output to be able to act on your firewall accordingly.


(Blason) #3

hmm…man slow down :slight_smile: I am pretty novice. :wink:

Any ways let me scratch the head and see what can be done.

Thanks a lot for your quick help.

BTW other one. I have certain malicious domains and have those ready in csv format since I am taking DNS logs in graylog wondering if lookup table can translate and highlight those malicious domains from logs?


(Philipp Ruland) #4

Hey @blason,

Have a look at
http://docs.graylog.org/en/2.4/pages/lookuptables.html
and
http://docs.graylog.org/en/2.4/pages/pipelines/functions.html#lookup

Simple use the lookup function in the when part of a rule. If a message matches in the CSV lookup table, then set a field like set_field(field: "maliciousDomain", value: true) or if you have data in your CSV file that you want in the message, simply do
set_fields(fields: lookup(lookup_table: "myTable", key: $message.websiteIP,))

Example (not tested!):

rule "isMaliciousDomain"
when
    lookup_value("myTable", $message.websiteIP) == true //Select a field that you can check here as single value return
then
    set_fields(fields: lookup(lookup_table: "myTable", key: $message.websiteIP));
end

Greetings,
Philipp


(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.