Active response: Brute-force-attack

155 views
Skip to first unread message

Ber Wazuh

unread,
Nov 9, 2023, 6:13:54 AM11/9/23
to Wazuh | Mailing List
Hi Wazuh Community,

I'm trying to configure the active response and struggling to make it work. I have rule.id =60122 to drop but not working.

Below is my ossec.conf 

  <active-response>
    <command>firewall-drop</command>
    <location>local</location>
    <rules_id>60122</rules_id>
    <timeout>3600</timeout>
  </active-response>

Appreciate your comments.

Thanks,
Ber


 

Md. Nazmur Sakib

unread,
Nov 9, 2023, 6:43:52 AM11/9/23
to Wazuh | Mailing List

Hi Ber,


Hope you are doing well. Thank you for using Wazuh.


Can you check on the Wazuh dashboard that alerts with rule ID 60122 fired?


As per the configuration rule id 60122 needs to trigger to initiate the active response command.


If not try to produce alerts to test the active response command.


Check the document for reference:

https://documentation.wazuh.com/current/user-manual/capabilities/active-response/ar-use-cases/blocking-ssh-brute-force.html


I hope this helps. Let me know if you need any further assistance.



Regards

Md. Nazmur Sakib

Ber Wazuh

unread,
Nov 9, 2023, 7:05:28 AM11/9/23
to Wazuh | Mailing List
Thank you, Md. Nazmur for the reply.

I'm just not sure whether my AR is working. Will it give me an alert that says 60122 is being blocked? My only reference is this hits that gone down. 60122 hits.JPG

60122.JPG

Thanks,
Ber

Md. Nazmur Sakib

unread,
Nov 10, 2023, 1:23:23 AM11/10/23
to Wazuh | Mailing List

Hi Ber



Active response is not working for your rule. The command you are using firewall-drop is for Linux, macOS, and Unix-based endpoints.


The rule 60122 is triggered for Windows based systems.


Check this document for default active response scripts:

https://documentation.wazuh.com/current/user-manual/capabilities/active-response/default-active-response-scripts.html#linux-macos-and-unix-based-endpoints


You can find the script for firewall-drop here https://github.com/wazuh/wazuh/blob/v4.6.0/src/active-response/firewalls/default-firewall-drop.c



The default active response scripts for windows are:

https://documentation.wazuh.com/current/user-manual/capabilities/active-response/default-active-response-scripts.html#windows-endpoints


You can find information about active response log inside 


/var/ossec/logs/active-responses.log


I hope this information helps.


Regards

Md. Nazmur Sakib

Ber Wazuh

unread,
Nov 14, 2023, 5:56:19 AM11/14/23
to Wazuh | Mailing List
Hi Md. Nazmur Sakib,

Done setting up the netsh on wazuh server but I'm getting the below message now. Is there anything I'm missing?

Active response related to netsh has been activated, but may not have an effect because the firewall is inactive

Thanks,
Ber

Md. Nazmur Sakib

unread,
Nov 15, 2023, 4:50:38 AM11/15/23
to Wazuh | Mailing List

Hi Ber,


Check if netsh firewall is active.


You can check the status with this command:


netsh advfirewall show allprofiles


If it is not active, make sure to active the firewall.


I hope this information helps.


Regards

Md. Nazmur Sakib

Reply all
Reply to author
Forward
0 new messages