How to use curl to create a json payload so that wazuh acts on an agentless system

[Manuel Alberto Da Silva Cunha]

Hi, I am doing an investigation project as a final subject to my university and I need help on this matter, I have a wazuh manager running on debian that receives logs from a mikrotik router, when someone fails 5 times trying to log in the router, it sends an alert to the manager that will act on said alert by adding the IP that tried to login to an address list in the mikrotik router that will have all its traffic blocked with a timeout set to a day. What I want to do right now is, finding out how to instantly unblock an IP who is blocked without having to wait a day for it to automatically unblock. What im trying to do is, create manually a json payload and send it to the manager using curl, the command im using works, yet the manager is not sending the output to the correct place, I also have a test-agent machine also running on debian, the manager is sending the command to that machine, that has the wazuh agent installed, yet I want it to send it to the mikrotik router who is an agentless system. Is it possible for me to do that, or it only works no agents with wazuh installed on it?

the command i used is this: "curl -k -X PUT "https://192.168.31.179:55000/active-response" -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d '{"command":"delete","alert":{"timestamp":"2023-06-15T10:09:29.676+0100","rule":{"level":15,"description":"Mikrotik: Suspeita ataque forcabruta","id":"100102","frequency":5,"firedtimes":1,"mail":true,"groups":["mikrotik"]},"agent":{"id":"000","name":"cmanuel2"},"manager":{"name":"cmanuel2"},"id":"1686820169.2649","previous_output":"system,error,critical mikrotik_logs: login failure for user admin from 192.168.31.1 via web\nsystem,error,critical mikrotik_logs: login failure for user admin from 192.168.31.1 via web\nsystem,error,critical mikrotik_logs: login failure for user admin from 192.168.31.1 via web\nsystem,error,critical mikrotik_logs: login failure for user admin from 192.168.31.1 via web","full_log":"system,error,critical mikrotik_logs: login failure for user admin from 192.168.31.1 via web","decoder":{"parent":"mikrotik","name":"mikrotik"},"data":{"srcip":"192.168.31.1","dstuser":"admin"},"location":"192.168.31.201"}}' "

and the output is this: "{"data": {"affected_items": [], "total_affected_items": 0, "total_failed_items": 1, "failed_items": [{"error": {"code": 1707, "message": "Cannot send request, agent is not active", "remediation": "Please, check non-active agents connection and try again. Visit https://documentation.wazuh.com/4.4/user-manual/registering/index.html and https://documentation.wazuh.com/4.4/user-manual/agents/agent-connection.html to obtain more information on registering and connecting agents"}, "id": ["001"]}]}, "message": "AR command was not sent to any agent", "error": 1}"

I know the output gives me an error because the test-agent machine is turned off, but it shouldnt try to send the command above to it in the first place, it should do it to the mikrotik router. Thanks in advance for the help!

[Miguel Verdaguer]

Hi Manuel,

From what I can see, you are trying to delete the alert. I don't think that can work as you want it to. Just deleting the alert doesn't mean the server will do the opposite action as when the alert was created. If you have access to the Mikrotik server, it would probably be easier not to pass through Wazuh to unlock the IP, just do it directly. ¿Why do you want to do it through Wazuh?

Regards,

Miguel

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a121c0af-f819-4e47-8357-60b63af3589cn%40googlegroups.com.

[Manuel Alberto Da Silva Cunha]

Hello Miguel, thank you for your response. What I'm trying to is, currently if someone tries to login to the web interface of the mikrotik router, if they fail 5 times, they will be blocked out of accessing it with a timeout set to a day, but if it was someone legitimate trying to login to the router, they shouldn't need to wait a full day to be able to try again, i would like, through wazuh, to send the command instantly so that the client doesn't have to wait a day. What I did is, use rsyslog between the mikrotik router and the wazuh manager, when the manager receives a log of someone failing 5 times to login to it, it will generate an alert that will trigger the manager to respond by sending a command to the router that will add that ip to an address list that has all traffic blocked to the router, after a day, the manager sends another command to the router to remove the ip from that address list. The commands I sent in the first question, weren't about me trying to delete the original alert that added the IP to the address list, I looked through the logs and the json message generated in the alert when adding the ip to the address list is the same as the one generated on the alert that is created after the timeout to delete the IP from the address list. I want to know if is there a way of me to get ahead of the timeout by trying to generate myself the alert so that the manager does the action to remove the IP from the address list before said timeout. I can send prints of the script I have or the logs of the manager if that would help.

[Miguel Verdaguer]

Hi Manuel,

I understand know what you were trying to do with that command, but what I still can't understand is why not do manually whatever the manager does when the timeout is reached manually instead of trying to create the alert. Creating manually the alert won't be a solution, if you really must do it through the manager, the solution should be having an additional active-response that does the deleting. You can see an example in this issue: https://github.com/wazuh/wazuh/issues/10672#issuecomment-990128830

Regards,

Miguel

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2b81221d-ba3f-4e52-8d6a-64c8c7444bedn%40googlegroups.com.