Threshold rule for active response
310 views
Skip to first unread message
Valton T.
Feb 28, 2023, 8:20:17 AM2/28/23
to Wazuh mailing list
Hi,.
After i'm getting directory bruteforce and sometimes is just marked as 'Web 400 error message' and wanted to know how can add threshold for this active response rule so i do not block legit traffic for this rule . how can i add if an IP does more than 5 400 errors trigger to ban it using firewall-drop
</active-response>
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>31101</rules_id>
<timeout>5</timeout>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>31101</rules_id>
<timeout>5</timeout>
</active-response>
Francisco Tuduri
Feb 28, 2023, 9:09:14 AM2/28/23
to Wazuh mailing list
Hello Valton!
To accomplish that we need to write a custom rule with your specific requirements and then use this new rule to trigger the active response.
We have to use if_matched_sid to match rule 31101, and same_srcip and adjust the frequency and timeframe as needed.
For example:
<rule id="100005" level="5" frequency="5" timeframe="30">
<if_matched_sid>31101</if_matched_sid>
<same_srcip />
<description>Multiple web server 400 error code.</description>
</rule>
The rule 100005 will trigger an alert when rule 31101 is matched 5 times in a 30-second period coming from the same source IP.
You need to add that rule to the /var/ossec/etc/rules/local_rules.xml as it is explained in the Custom rules and decoders guide.
Then you need to change your active response block to trigger when this new rule is fired:
<timeout>5</timeout>
</active-response>
Remember to restart the manager after making these changes.
Let me know if you need any more help with this.
Regards!
To accomplish that we need to write a custom rule with your specific requirements and then use this new rule to trigger the active response.
We have to use if_matched_sid to match rule 31101, and same_srcip and adjust the frequency and timeframe as needed.
For example:
<rule id="100005" level="5" frequency="5" timeframe="30">
<if_matched_sid>31101</if_matched_sid>
<same_srcip />
<description>Multiple web server 400 error code.</description>
</rule>
The rule 100005 will trigger an alert when rule 31101 is matched 5 times in a 30-second period coming from the same source IP.
You need to add that rule to the /var/ossec/etc/rules/local_rules.xml as it is explained in the Custom rules and decoders guide.
Then you need to change your active response block to trigger when this new rule is fired:
</active-response>
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>100005</rules_id><active-response>
<command>firewall-drop</command>
<location>local</location>
<timeout>5</timeout>
</active-response>
Remember to restart the manager after making these changes.
Let me know if you need any more help with this.
Regards!
Reply all
Reply to author
Forward
0 new messages