Open joshnguyen08 opened 3 days ago
Rule #1 – this allows for DNS lookups, it should be ok
Rule #2 – allows internal communication in the victim subnet
Rule #3 - allows access to seconion and wazuh to send logs
-disabled and added two new rules to allow only TCP 1514 destination to seconion, allow only TCP 55000 destination to seconion –both rules allow wazuh agents to function
Rule #4 – splunk forwarding rule
-disabled and added two new rules to allow only TCP 9997 destination to splunk, allow TCP 8089 – both rules allow splunk to receive necessary data from forwarder
Rule #5 / #6 – allows http/https access
Rule #7 – final rule to block all other traffic from victim network subnet
added 4 firewalls rules, disabled two of the above.
Updated firewall for victim interface:
How to check:
Check wazuh server to see if active connection is still maintained - checked and is good
Check splunk universal forwarder to see if logs are still being sent - checked via Kibana and still shows traffic from victim subnet being sent over + real-time data logging is still sent
Snapshot taken of both VMs,
Secure 192.168.3.0/24 itself to be contained and not leak to other subnet or core pfsense network.