Obtener IP de atacante
62 views
Skip to first unread message
henry valz
Jan 25, 2023, 8:16:41 AM1/25/23
to Wazuh mailing list
Equipo
Como puedo obtener en un script a través de la respuesta activa, la direccion IP del atacante para realizar alguna acción a nivel de scripting en linux, alguna idea?
gracias
Julián Morales
Jan 25, 2023, 9:35:56 AM1/25/23
to henry valz, Wazuh mailing list
Hi Hernry,
When an active response is executed, the binary receives the json alert via STDIN. In your code you must parse the JSON of the alert and find for the field where the ip is stored.
On the other hand to be able to obtain the attacker's IP, the alert must contain the attacker's ip, that is to say, that the log that generated the alert contains the ip and this was decoded and stored in a field (usually srcip).
I think you will find our documentation useful. Here you will find how active response works and here you will find how to create custom active response.
I hope you find this useful
RegardsWhen an active response is executed, the binary receives the json alert via STDIN. In your code you must parse the JSON of the alert and find for the field where the ip is stored.
On the other hand to be able to obtain the attacker's IP, the alert must contain the attacker's ip, that is to say, that the log that generated the alert contains the ip and this was decoded and stored in a field (usually srcip).
I think you will find our documentation useful. Here you will find how active response works and here you will find how to create custom active response.
I hope you find this useful
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f8f99047-2553-468c-a3fe-c19caf207dbdn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages