how to start active response for multiple agents (but not for all of them)
629 views
Skip to first unread message
mauro....@cmcc.it
May 17, 2021, 12:16:40 PM5/17/21
to Wazuh mailing list
Dear Users,
in our environment, we have two kind of servers groups:
group A: FTP servers
group B: Proxy servers
I would like to start the same active response on every FTP servers when an alert is fired on one of them. How can I do it?
I noticed that I can set <location>all</location> in active response block , but it works for every agents, not for a subset of them.
Thank you,
Mauro
Cesar Moreno
May 17, 2021, 1:28:28 PM5/17/21
to Wazuh mailing list
Hello Mauro,
Thank you for posting on the Wazuh mailing list. Hope you are very well.
As you can si on the following AR (
<active-response> ) FAQs, you can use <location> option to execute the response only for particular hosts.
For example, if the agent you want to monitor is the # 032:
If the application that interfaces with your edge firewall run on one of your agents, you might have a firewall-block-edge command that runs a script on that agent to blacklist an offending IP on the edge firewall.
defined-agent: This runs the command on a specific agent identified by agent_id.
agent_id: Specifies the ID of the agent on which to execute the active response command (used when defined-agent is set).
<active-response>
<disabled>no</disabled>
<command>host-deny</command>
<location>defined-agent</location>
<agent_id>032</agent_id>
<level>10</level>
<rules_group>sshd,|pci_dss_11.4,</rules_group>
<timeout>1</timeout>
</active-response>
Hope this helps, any questions, please let me know. I'm glad to help.
Kind regards,
Cesar Moreno.
Mauro Tridici
May 17, 2021, 2:02:44 PM5/17/21
to Cesar Moreno, Wazuh mailing list
Hello Cesar,
thank you very much for your answer.
I really appreciated your solution, but, unfortunately, the edge firewall is not managed by us (we are “guest” in a university network)
So, I was trying to “centralize” the active responses: one agent detects the threat, all the agents of the same group defend themselves in the same way.
Do you think that I can create (on Wazuh manager) a bash script that make adeguate use of the existing Wazuh binaries and force / distribute the active-response on a specific agents list?
I may be asking too much.
Thank you in advance.
Kind Regards,
Mauro
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/1VTqPnhGGyA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/82800f02-a2e5-450e-b50f-1042caa822bdn%40googlegroups.com.
Cesar Moreno
May 18, 2021, 6:06:07 PM5/18/21
to Wazuh mailing list
Hello Mauro,
OK, so as I understood, you don't have all those servers in the same group with the Wazuh agent installed on them so you are unable to add them to <active_response>.
Unfortunately, it's not possible to send a reaction to its group members when only one of them has reacted to the trigger, but you can react to the same event by adding the location/agent IDs that belong to this group for this Active Response configuration.
Unfortunately, it's not possible to send a reaction to its group members when only one of them has reacted to the trigger, but you can react to the same event by adding the location/agent IDs that belong to this group for this Active Response configuration.
Alternatively, you can use your own scripts if you want to execute something different as the ssh remote access for example, but it's not an option if you don't manage the systems.
You can create your own script and configure a command and active response to refer to it. Keep in mind that AR follows a specific arguments syntax when running scripts. The arguments are inserted in this order:
<SCRIPT-NAME> <ACTION> <USER> <IP> <ALERT-ID> <RULE-ID> <AGENT> <FILENAME>
Some considerations:
<SCRIPT-NAME> is the name of the script file that is going to be run.
<ACTION> can be deleted or add.
<USER> is the user name. It can be - if not set.
<IP> is the source IP. It can be - if not set.
<ALERT-ID> is the alert ID (unique for every alert).
<RULE-ID> is the rule ID.
<AGENT> is the agent ID or hostname.
<FILENAME> is the source path file of the log that triggered the alert (if it exists).
I'd like to understand a little bit more about your environment, how do you manage those systems where you want to react, and if have installed the Wazuh agent.
Hope this helps.
I look forward to your feedback.
Kind regards,
Cesar Moreno.
Cesar Moreno.
Mauro Tridici
May 18, 2021, 6:39:41 PM5/18/21
to Cesar Moreno, Wazuh mailing list
Hello Cesar,
I know that I can split the active response block mentioned above in multiple blocks (one block for each agent), but, in this way, I will lose the very interesting "<location>all</location> feature”.
thank you very much for your avaiilability and patience.
I will try to describe shortly my environment and explain my problem.
Basically, our environment is composed by:
- 5 FTP servers
- 2 HTTP servers
On each server, I installed the latest version of Wazuh Agent. All the 7 servers are managed by out IT team and monitored by Wazub Manager v.4.1.4
Only the physical edge firewall is not managed by our IT team (so, we can’t change the existing firewall policies).
I created two host groups named “ftp” and “web”:
- 5 FTP servers belong to “ftp” and “default” Wazuh groups
- 2 HTTP servers belong to “web” and “default” Wazuh groups
At this moment, I’m using this policy and it is working as expected:
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>all</location>
<rules_id>100100</rules_id>
<timeout>600</timeout>
</active-response>
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>all</location>
<rules_group>attack|web|accesslog|syslog|elevation_of_privilege|exploit_attempt|sshd|errors|vuls|vulnerability-detector|invalid_access|attacks|agent_flooding|syscheck|service_availability|linuxkernel|named|modsecurity|access_denied|apache|virustotal|sysmon_process-anomalies|ids|fortigate|recon|sudo|telnetd|dovecot|vsftpd|web_sna|sql_injection|invalid_request|nginx|dropbear|audit_daemon|sqlserver|wazuh|rootcheck|login_time|policy_violation|login_day|sca|oscap|oscap-report|oscap-result|ciscat|adduser|appsec|low_diskspace|ossec|syscheck|syscheck_entry_modified|syscheck_file|agentless|wordpress|checkpoint_smart1|gsad|openvasmd|firewall|firewall_drop|invalid_login|access_denied|ftpd|nginx|local|systemd|time_changed|audit_anom|openvpn|firewall_block|mysql_audit|mariadb|incident_response|it_compliance|hardware_monitoring|osquery|freeipa|docker|docker-error|active_response|ossec|connection_attempt|authentication_success|pam|yum|upgrade|nfs|su|postfix|dhcp|groupdel|authentication_failed|authentication_failures</rules_group>
<level>8</level>
<timeout>600</timeout>
</active-response>
<active-response>
<repeated_offenders>15,30,60,120,180</repeated_offenders>
</active-response>
My target:
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>all</location>
<rules_id>100100</rules_id>
<timeout>600</timeout>
</active-response>
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>all</location>
<rules_group>attack|web|accesslog|syslog|elevation_of_privilege|exploit_attempt|sshd|errors|vuls|vulnerability-detector|invalid_access|attacks|agent_flooding|syscheck|service_availability|linuxkernel|named|modsecurity|access_denied|apache|virustotal|sysmon_process-anomalies|ids|fortigate|recon|sudo|telnetd|dovecot|vsftpd|web_sna|sql_injection|invalid_request|nginx|dropbear|audit_daemon|sqlserver|wazuh|rootcheck|login_time|policy_violation|login_day|sca|oscap|oscap-report|oscap-result|ciscat|adduser|appsec|low_diskspace|ossec|syscheck|syscheck_entry_modified|syscheck_file|agentless|wordpress|checkpoint_smart1|gsad|openvasmd|firewall|firewall_drop|invalid_login|access_denied|ftpd|nginx|local|systemd|time_changed|audit_anom|openvpn|firewall_block|mysql_audit|mariadb|incident_response|it_compliance|hardware_monitoring|osquery|freeipa|docker|docker-error|active_response|ossec|connection_attempt|authentication_success|pam|yum|upgrade|nfs|su|postfix|dhcp|groupdel|authentication_failed|authentication_failures</rules_group>
<level>8</level>
<timeout>600</timeout>
</active-response>
<active-response>
<repeated_offenders>15,30,60,120,180</repeated_offenders>
</active-response>
My target:
Now, I would like to split this active response policy in two blocks: 1 block (with level 8) for all FTP servers and 1 block (with level 12) for HTTP servers.
My ideal workflow should be the following one:
- if a “bad” IP is detected by one of FTP servers, all the FTP servers block the same IP;
- if a “bad” IP is detected by one of HTTP servers, all the HTTP servers block the same IP;
I know that I can split the active response block mentioned above in multiple blocks (one block for each agent), but, in this way, I will lose the very interesting "<location>all</location> feature”.
It would be nice, if I have the possiblity to change the current location (all) with the host group name.
For example:
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>ftp</location>
<rules_id>100100</rules_id>
<timeout>600</timeout>
</active-response>
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>ftp</location>
<rules_group>attack|web|accesslog|syslog|elevation_of_privilege|exploit_attempt|sshd|errors|vuls|vulnerability-detector|invalid_access|attacks|agent_flooding|syscheck|service_availability|linuxkernel|named|modsecurity|access_denied|apache|virustotal|sysmon_process-anomalies|ids|fortigate|recon|sudo|telnetd|dovecot|vsftpd|web_sna|sql_injection|invalid_request|nginx|dropbear|audit_daemon|sqlserver|wazuh|rootcheck|login_time|policy_violation|login_day|sca|oscap|oscap-report|oscap-result|ciscat|adduser|appsec|low_diskspace|ossec|syscheck|syscheck_entry_modified|syscheck_file|agentless|wordpress|checkpoint_smart1|gsad|openvasmd|firewall|firewall_drop|invalid_login|access_denied|ftpd|nginx|local|systemd|time_changed|audit_anom|openvpn|firewall_block|mysql_audit|mariadb|incident_response|it_compliance|hardware_monitoring|osquery|freeipa|docker|docker-error|active_response|ossec|connection_attempt|authentication_success|pam|yum|upgrade|nfs|su|postfix|dhcp|groupdel|authentication_failed|authentication_failures</rules_group>
<level>8</level>
<timeout>600</timeout>
</active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>ftp</location>
<rules_id>100100</rules_id>
<timeout>600</timeout>
</active-response>
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>ftp</location>
<rules_group>attack|web|accesslog|syslog|elevation_of_privilege|exploit_attempt|sshd|errors|vuls|vulnerability-detector|invalid_access|attacks|agent_flooding|syscheck|service_availability|linuxkernel|named|modsecurity|access_denied|apache|virustotal|sysmon_process-anomalies|ids|fortigate|recon|sudo|telnetd|dovecot|vsftpd|web_sna|sql_injection|invalid_request|nginx|dropbear|audit_daemon|sqlserver|wazuh|rootcheck|login_time|policy_violation|login_day|sca|oscap|oscap-report|oscap-result|ciscat|adduser|appsec|low_diskspace|ossec|syscheck|syscheck_entry_modified|syscheck_file|agentless|wordpress|checkpoint_smart1|gsad|openvasmd|firewall|firewall_drop|invalid_login|access_denied|ftpd|nginx|local|systemd|time_changed|audit_anom|openvpn|firewall_block|mysql_audit|mariadb|incident_response|it_compliance|hardware_monitoring|osquery|freeipa|docker|docker-error|active_response|ossec|connection_attempt|authentication_success|pam|yum|upgrade|nfs|su|postfix|dhcp|groupdel|authentication_failed|authentication_failures</rules_group>
<level>8</level>
<timeout>600</timeout>
</active-response>
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>web</location>
<rules_id>100100</rules_id>
<timeout>600</timeout>
</active-response>
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>web</location>
<rules_group>attack|web|accesslog|syslog|elevation_of_privilege|exploit_attempt|sshd|errors|vuls|vulnerability-detector|invalid_access|attacks|agent_flooding|syscheck|service_availability|linuxkernel|named|modsecurity|access_denied|apache|virustotal|sysmon_process-anomalies|ids|fortigate|recon|sudo|telnetd|dovecot|vsftpd|web_sna|sql_injection|invalid_request|nginx|dropbear|audit_daemon|sqlserver|wazuh|rootcheck|login_time|policy_violation|login_day|sca|oscap|oscap-report|oscap-result|ciscat|adduser|appsec|low_diskspace|ossec|syscheck|syscheck_entry_modified|syscheck_file|agentless|wordpress|checkpoint_smart1|gsad|openvasmd|firewall|firewall_drop|invalid_login|access_denied|ftpd|nginx|local|systemd|time_changed|audit_anom|openvpn|firewall_block|mysql_audit|mariadb|incident_response|it_compliance|hardware_monitoring|osquery|freeipa|docker|docker-error|active_response|ossec|connection_attempt|authentication_success|pam|yum|upgrade|nfs|su|postfix|dhcp|groupdel|authentication_failed|authentication_failures</rules_group>
<level>12</level>
<timeout>600</timeout>
</active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>web</location>
<rules_id>100100</rules_id>
<timeout>600</timeout>
</active-response>
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>web</location>
<rules_group>attack|web|accesslog|syslog|elevation_of_privilege|exploit_attempt|sshd|errors|vuls|vulnerability-detector|invalid_access|attacks|agent_flooding|syscheck|service_availability|linuxkernel|named|modsecurity|access_denied|apache|virustotal|sysmon_process-anomalies|ids|fortigate|recon|sudo|telnetd|dovecot|vsftpd|web_sna|sql_injection|invalid_request|nginx|dropbear|audit_daemon|sqlserver|wazuh|rootcheck|login_time|policy_violation|login_day|sca|oscap|oscap-report|oscap-result|ciscat|adduser|appsec|low_diskspace|ossec|syscheck|syscheck_entry_modified|syscheck_file|agentless|wordpress|checkpoint_smart1|gsad|openvasmd|firewall|firewall_drop|invalid_login|access_denied|ftpd|nginx|local|systemd|time_changed|audit_anom|openvpn|firewall_block|mysql_audit|mariadb|incident_response|it_compliance|hardware_monitoring|osquery|freeipa|docker|docker-error|active_response|ossec|connection_attempt|authentication_success|pam|yum|upgrade|nfs|su|postfix|dhcp|groupdel|authentication_failed|authentication_failures</rules_group>
<level>12</level>
<timeout>600</timeout>
</active-response>
Unfortunately, I noticed that I Wazuh doesn’t support “group” location.
Is there an alternative way to do the work? Do you know if “group” location will be added in the next version of Wazuh?
Thank you in advance.
Mauro
Thank you in advance.
Mauro
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4e0b010d-61d1-4c2a-8e9c-921ee0508de6n%40googlegroups.com.
Cesar Moreno
May 21, 2021, 1:30:12 PM5/21/21
to Wazuh mailing list
Hello Mauro,
"command": "ar-for-group.sh",
"custom": true
}
<name> ar-for-group</name>
<executable> ar-for-group.sh </executable>
</command>
"command": "ar-for-group.",
"custom": false # NOT CONSIDERED CUSTOM!
}
To get the group of a particular agent:
Hope you are going very well today, please accept my apologies for the late response. I was working on finding out a better solution for this requirement and found something that probably is useful for you.
You can execute the Active Response that you need on-demand for only one group by using the API as follows:
curl -k -X PUT "https://localhost:55000/active-response?agents_list=002" -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d'
{
"arguments": [
"1.1.1.2"
],
"command": "ar-for-group",
{
"arguments": [
"1.1.1.2"
],
"command": "ar-for-group",
"custom": false
}'
}'
Output:
{"data": {"affected_items": ["002"], "total_affected_items": 1, "total_failed_items": 0, "failed_items": []}, "message": "AR command was sent to all agents", "error": 0}
{"data": {"affected_items": ["002"], "total_affected_items": 1, "total_failed_items": 0, "failed_items": []}, "message": "AR command was sent to all agents", "error": 0}
You have 2 options now to execute that script via API:
1- Use the following API call, in the body, the command will be the name of the script you created and custom must be true as it is a custom script:
PUT /active-response?agents_list=001
With body:
{"command": "ar-for-group.sh",
"custom": true
}
2- With the command block in the manager's ossec.conf. With this block, you create a default command (not considered custom), which is shared with the agents.
<command><name> ar-for-group</name>
<executable> ar-for-group.sh </executable>
</command>
After adding the command block and restarting, this is what appears in /var/ossec/etc/shared/ar.conf:
...
deny-usb0 - example.sh - 0...
deny-usb0 is the command that will execute the script example.sh.
Now use the following API call:
PUT /active-response?agents_list=001
With body:
{"command": "ar-for-group.",
"custom": false # NOT CONSIDERED CUSTOM!
}
Note that the command block isn't needed in option 1.
In the API reference, you have for: /active-response you can execute a command in python or shell. The new scripts should be in the agent's active-response/bin folder.
Following the /active-response API reference:
Command: Command running in the agent. If this value starts by !, then it refers to a script name instead of a command name
curl -sk -X GET "https://localhost:55000/agents?agents_list=002" -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" | jq '.data.affected_items[0].group[]'
To get the agent IDs of all agents contained on that group:
curl -sk -X GET "https://localhost:55000/groups/<group>/agents?pretty" -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" | jq '.data.affected_items[].id'
Then, on the manager side in the ossec.conf, you can configure to execute the AR from the manager (<location>server</location>) instead of executing the response on every agent.
<command>
<name>ar-for-group</name>
<executable>ar-for-group.sh</executable>
<expect>srcip, agent.id</expect>
</command>
<name>ar-for-group</name>
<executable>ar-for-group.sh</executable>
<expect>srcip, agent.id</expect>
</command>
.....
<active-response>
<command>ar-for-group</command>
<location>server</location>
<rules_id>10005</rules_id>
</active-response>
<command>ar-for-group</command>
<location>server</location>
<rules_id>10005</rules_id>
</active-response>
Hope this helps! Any questions, please let me know, I'm glad to help.
Kind regards,
Cesar Moreno.
Cesar Moreno.
Mauro Tridici
May 21, 2021, 3:27:53 PM5/21/21
to Cesar Moreno, Wazuh mailing list
Hello Cesar,
thank you very much for you support.
You have done a great work! Fantastic!
It works.
If is it possible, I would like to ask your help for another thread that I created recently ( the case title is: how to add geoip info in wazuh alert emails ).
Julia give me an hand to start, but I’m still not able to complete the work.
Could you please help me?!
But, please, take your time :)
Thank you,
Mauro
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/447a858d-d1bc-432b-ab1c-3a556ccd9d65n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages