need help to compile default-firewall-drop.c

[Valton T.]

Hi Everyone and this amazing Wazuh community

I need help since i needed to add this code at default-firewall-drop.c which i think it is for active-response firewall-drop since i need to write those ip that get blocked with iptables i need to simple write them also in /etc/nginx/waf/black_list_subnets.conf for example the active response was alert:

2023/07/18 12:33:50 active-response/bin/firewall-drop: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2023-07-18T12:33:50.560+0000","rule":{"level":9,"description":"CMS (WordPress or Joomla) login attempt.","id":"31509","mitre":{"id":["T1110.001"],"tactic":["Credential Access"],"technique":["Password Guessing"]},"firedtimes":1071,"mail":false,"groups":["web","appsec","attack"],"pci_dss":["6.5","11.4","6.5.10","10.2.4","10.2.5"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SA.11","SI.4","AU.14","AC.7"],"tsc":["CC6.6","CC7.1","CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"008","name":"paparaci","ip":"159.69.181.255"},"manager":{"name":"intel"},"id":"1689683630.57319526","full_log":"5.188.87.37 - 127.0.0.1 - - [18/Jul/2023:12:33:50 +0000] \"POST /wp-login.php HTTP/1.1\" 200 2099 \"-\" \"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0\" \"5.188.87.37, 172.71.102.113, 5.9.90.26\"","decoder":{"name":"web-accesslog"},"data":{"protocol":"POST","srcip":"5.188.87.37","id":"200","url":"/wp-login.php"},"location":"/var/log/nginx/xx.access.log"},"program":"active-response/bin/firewall-drop"}}

so all i need that active-response/bin/firewall-drop adds that attacker ip "5.188.87.37" to /etc/nginx/waf/black_list_subnets.conf and at the end add /32 example like 5.188.87.37/32

Please find in attachment the code i need to compile since i cannot without source code and im having real problems compiling it or test any code using the source on github :

in attachment it is the code i need to compile and make it work for those requirements above

Thanks

[Seyla Damaris Gomez]

Hi,

Active Response is a feature that allows you to automatically perform predefined actions in response to specific security events. For example, when an intrusion attempt or malicious activity is detected, Wazuh can trigger automated responses to block the attacker's IP address, close a connection, or run mitigation commands.

Configuring Active Response in Wazuh can be customized to suit an organization's specific security needs. It will help ensure that automated responses do not negatively affect the infrastructure or generate false positives that could harm legitimate operations. I share our page with more information that can help you: Link.

You can create a custom active response by following this guide, in the sector that says """ Start custom action Add """ you have to write the AR action, in this case, block an IP, which makes sure to capture the srcip in this section.

""" Start Custom Key At this point, it is necessary to select the keys from the alert and add them into the keys array. """


If you follow the guide, you will be able to create an AR for the requested case. You can also create an issue on Wazuh's github requesting that the functionality you want be added, which will be treated and estimated according to priorities.


Regards.