Null Route issues
90 views
Skip to first unread message
Jacob Mcgrath
Jan 9, 2023, 12:44:43 PM1/9/23
to Wazuh mailing list
I have Security Onion 2 with Wazuh. I have test the AR of route-null.cmd and it does fire to the Windows 2012 server and I see a route added for the ip block.
sudo docker exec -it so-wazuh /var/ossec/bin/agent_control -u 004 -b 192.168.54.16 -f win_route-null150
Mon 01/09/2023 11:35:33.83 "active-response/bin/route-null.cmd" add "-" "192.168.54.16" "(from_the_server) (no_rule_id)"
Mon 01/09/2023 11:38:04.95 "active-response/bin/route-null.cmd" delete "-" "192.168.54.16" "(from_the_server) (no_rule_id)"
Mon 01/09/2023 11:39:53.40 "active-response/bin/route-null.cmd" add "-" "192.168.54.16" "(from_the_server) (no_rule_id)"
Mon 01/09/2023 11:38:04.95 "active-response/bin/route-null.cmd" delete "-" "192.168.54.16" "(from_the_server) (no_rule_id)"
Mon 01/09/2023 11:39:53.40 "active-response/bin/route-null.cmd" add "-" "192.168.54.16" "(from_the_server) (no_rule_id)"
But I can still ping the server from that Ip..
Any Idea's would be helpful.
Thank You
Christian Borla
Jan 9, 2023, 5:29:40 PM1/9/23
to Wazuh mailing list
Hi!
I hope you are doing fine.
As you mentioned, looks like the ip is added to the blocked ip list.
The active response log show the add command, adding the ip to the blocked list, and after 2.5 minutes it runs the delete command removing the ip from the blocked list.
Did you try to connect to the agent through the blocked ip by ssh? Did test it in another environment?
I believe it is still possible to ping the target, even if the ip is blocked.
Another question is, Was the firewall up? It is possible to add rules to a disabled firewall. Also If it's possible try to add a new rule manually, and check if the ping command works, because ones route command shows the rule, it could be a OS issue.
This is the link where AR build the command to block the ip, it use the route.exe command.
Let me know if this information is useful
Regards.
I hope you are doing fine.
As you mentioned, looks like the ip is added to the blocked ip list.
The active response log show the add command, adding the ip to the blocked list, and after 2.5 minutes it runs the delete command removing the ip from the blocked list.
Did you try to connect to the agent through the blocked ip by ssh? Did test it in another environment?
I believe it is still possible to ping the target, even if the ip is blocked.
Another question is, Was the firewall up? It is possible to add rules to a disabled firewall. Also If it's possible try to add a new rule manually, and check if the ping command works, because ones route command shows the rule, it could be a OS issue.
This is the link where AR build the command to block the ip, it use the route.exe command.
Let me know if this information is useful
Regards.
Reply all
Reply to author
Forward
0 new messages