active-reponse windows issue:I believe the issue is that "How to add a Null route in windows" itself doesnt works.
222 views
Skip to first unread message
Yolanda Prieto
Dec 14, 2017, 2:02:57 PM12/14/17
to Wazuh mailing list
Hi All,I need your help.
I am working with wazuh windows agents 3.0.0 ( on Windows 10) and wazuh-manager 2.2.1 ( on centos7)
The active-response firewalld-drop in Linux (centos7, service firewalld) and is working well.
The issue I have is with the active-response in windows is that the route-null.cmd shell does not block the offender IP.
I was trying to do by command line and based on the advise in this link:
https://www.beaming.co.uk/support/internet-and-connectivity/how-to-add-a-null-route-in-windows/
route add X.X.X.X mask Y.Y.Y.Y Z.Z.Z.Z metric 1 -p
Where X.X.X.X and Y.Y.Y.Y is the IP range and subnet mask you wish to Null route and Z.Z.Z.Z is a spare unallocated IP address on your local network.
In my case for example, if you wish to Null route the IP address 128.9.55.101 and you have a spare unallocated IP address of 128.9.55.123 on your local area network then you would enter:
route add 128.9.55.101 mask 255.255.255.255 128.9.55.123 metric 1 -p
after that i still can ping the address 128.9.55.101
This IP address 128.9.55.101 does not get blocked .
I believe the issue is that "How to add a Null route in windows" itself doesn't works.
Do you have some similar reports to this?
When I try using /var/ossec/bin/agent_control -b 128.9.55.155 -f win_route-null0 -u 027
The win_route-null0 get launched in the agent , and I can see it in the active-response.log in that windows agent.
When I do: route print in that windows agent IP 128.9.55.155
I can see the route in the route table
Network Destination Netmask Gateway Interface Metric
128.9.55.101 255.255.255.255 128.9.55.123 128.9.55.155 51
after that i still can ping the address 128.9.55.101
This IP address 128.9.55.101 does not get blocked .
Some idea how deal with this issue?
Thanks and regards
Yollanda
I am working with wazuh windows agents 3.0.0 ( on Windows 10) and wazuh-manager 2.2.1 ( on centos7)
The active-response firewalld-drop in Linux (centos7, service firewalld) and is working well.
The issue I have is with the active-response in windows is that the route-null.cmd shell does not block the offender IP.
I was trying to do by command line and based on the advise in this link:
https://www.beaming.co.uk/support/internet-and-connectivity/how-to-add-a-null-route-in-windows/
route add X.X.X.X mask Y.Y.Y.Y Z.Z.Z.Z metric 1 -p
Where X.X.X.X and Y.Y.Y.Y is the IP range and subnet mask you wish to Null route and Z.Z.Z.Z is a spare unallocated IP address on your local network.
In my case for example, if you wish to Null route the IP address 128.9.55.101 and you have a spare unallocated IP address of 128.9.55.123 on your local area network then you would enter:
route add 128.9.55.101 mask 255.255.255.255 128.9.55.123 metric 1 -p
after that i still can ping the address 128.9.55.101
This IP address 128.9.55.101 does not get blocked .
I believe the issue is that "How to add a Null route in windows" itself doesn't works.
Do you have some similar reports to this?
When I try using /var/ossec/bin/agent_control -b 128.9.55.155 -f win_route-null0 -u 027
The win_route-null0 get launched in the agent , and I can see it in the active-response.log in that windows agent.
When I do: route print in that windows agent IP 128.9.55.155
I can see the route in the route table
Network Destination Netmask Gateway Interface Metric
128.9.55.101 255.255.255.255 128.9.55.123 128.9.55.155 51
after that i still can ping the address 128.9.55.101
This IP address 128.9.55.101 does not get blocked .
Some idea how deal with this issue?
Thanks and regards
Yollanda
Yolanda Prieto
Jan 17, 2018, 1:24:01 PM1/17/18
to Wazuh mailing list
Yolanda Prieto
Jan 17, 2018, 1:24:29 PM1/17/18
to Wazuh mailing list
Hi Team
Somebody could help me with this old question?
Any advise will be very appreciate.
Regards
Yolanda Prieto
On Thursday, December 14, 2017 at 11:02:57 AM UTC-8, Yolanda Prieto wrote:
Yolanda Prieto
Jan 17, 2018, 1:24:57 PM1/17/18
to Wazuh mailing list
Hi Team
Somebody could help me with this old question?
Any advise will be very appreciate.
Regards
Yolanda Prieto
On Thursday, December 14, 2017 at 11:02:57 AM UTC-8, Yolanda Prieto wrote:
yol...@saitechnology.com
Jan 17, 2018, 3:58:18 PM1/17/18
to Yolanda Prieto, Wazuh mailing list
Hi Guys,
I am sorry.
My browser freezes and I click over the post button several times and
this email/question was delivered several times
I am sorry about that.
Regards
Yolanda Prieto.
On 2018-01-17 11:24, Yolanda Prieto wrote:
> Hi Team
>
> Somebody could help me with this old question?
> Any advise will be very appreciate.
> Regards
> Yolanda Prieto
>
> On Thursday, December 14, 2017 at 11:02:57 AM UTC-8, Yolanda Prieto
> wrote:
>
>> Hi All,I need your help.
>>
>> I am working with wazuh windows agents 3.0.0 ( on Windows 10) and
>> wazuh-manager 2.2.1 ( on centos7)
>>
>> The active-response firewalld-drop in Linux (centos7, service
>> firewalld) and is working well.
>>
>> The issue I have is with the active-response in windows is that the
>> route-null.cmd shell does not block the offender IP.
>>
>> I was trying to do by command line and based on the advise in this
>> link:
>>
> https://www.beaming.co.uk/support/internet-and-connectivity/how-to-add-a-null-route-in-windows/
> You received this message because you are subscribed to the Google
> Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to wazuh+un...@googlegroups.com.
> To post to this group, send email to wa...@googlegroups.com.
> Visit this group at https://groups.google.com/group/wazuh.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/wazuh/d81f3dab-8af7-444e-a26b-d2113f46849f%40googlegroups.com
> [2].
> For more options, visit https://groups.google.com/d/optout.
>
>
> Links:
> ------
> [1]
> https://www.beaming.co.uk/support/internet-and-connectivity/how-to-add-a-null-route-in-windows/
> [2]
> https://groups.google.com/d/msgid/wazuh/d81f3dab-8af7-444e-a26b-d2113f46849f%40googlegroups.com?utm_medium=email&utm_source=footer
Miguelangel Freitas
Jan 30, 2018, 11:17:57 AM1/30/18
to yol...@saitechnology.com, Yolanda Prieto, Wazuh mailing list
Hi Yolanda,
Sorry for the really late reply.
The route-null.cmd command is designed to run locally on the Windows Agent and will block incoming request from a certain IP address to the Agent. The Manager sends the active response command but this actually runs on the target agent.
Can you try to run the same but adding a source IP Address you want to block, and then try to make ICMP ping request from that host, for example:
/var/ossec/bin/agent_control -b 128.9.55.155 -f win_route-null0 -u 027
Next, try to ping to from 128.9.55.155 host to the 027 agent id IP address.
Let us know how it works, thanks!
Regards,
an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit
https://groups.google.com/d/msgid/wazuh/d81f3dab-8af7-444e-a26b-d2113f46849f%40googlegroups.com
[2].
For more options, visit https://groups.google.com/d/optout.
Links:
------
[1]
https://www.beaming.co.uk/support/internet-and-connectivity/how-to-add-a-null-route-in-windows/
[2]
https://groups.google.com/d/msgid/wazuh/d81f3dab-8af7-444e-a26b-d2113f46849f%40googlegroups.com?utm_medium=email&utm_source=footer
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/717367cf63add283c55dac45c66bb24f%40saitechnology.com.
Reply all
Reply to author
Forward
0 new messages