Active-response

[Dmitriy]

Good Day.

I have some problems at active response. It doesn't work. 

I did configuration ossec.conf at the agent:

 <!-- Active response -->


  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>no</timeout_allowed>
  </command>


  <active-response>
    <command>firewall-drop</command>
    <location>local</location>
    <rules_group>web,|attack,</rules_group>
  </active-response>

I modified

firewall-drop.sh

  for add IP by ipset.

I'm doing 

var/ossec/bin/agent_control -b 1.2.3.4 -f firewall-drop -u 002

  for testing AR,

but

active-responce.log

don't have a new entry.

At the ipset I also don't have new IP.

ipset -L blacklist
Name: blacklist
Type: hash:ip
Revision: 2
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 128
References: 1
Members:

At the firts time, I do my working script for blocking IP by IPSET, but it had not working. I did some changes at firewall-drop.sh and it also hasn't working.

[Alberto Marín]

Hi Dmitriy,

You must add the active response configuration in the manager, not in the agent.

To set your configuration, you must write the following in your manager:

  <active-response>
    <command>firewall-drop</command>
    <location>local</location>
    <rules_group>web,|attack,</rules_group>
  </active-response>

Next step is to restart the manager in order to read the new configuration. You can check this step reading the file /var/ossec/etc/shared/ar.conf. The text line 'firewall-drop0 - firewall-drop.sh - 0' should be present.

Now it's time to restart the agent. We need to restart the agent to receive the new ar.conf file which will be pushed from the manager.

Finally, you can test with:

/var/ossec/bin/agent_control -b 192.168.131.129 -f firewall-drop0 -u 002


If everything is working properly, you should receive a log in /var/ossec/logs/active-responses.log

Fri Nov  3 15:44:04 PDT 2017 /var/ossec/active-response/bin/firewall-drop.sh add - 192.168.131.129 (from_the_server) (no_rule_id)

If you have any additional questions or require further clarification, please, do not hesitate to write again.

Best regards,

Alberto Marin.

[Dmitriy]

Thank you very much.

I think it should be added to the docks of wazuh. It's not that obvious that configuration done on the Manager. 

And I have other question.

How I cat distribute my scripst for the agents?

For example I will make some script: example.sh and post it at the /etc/shared of the Manager.

As the second step I will configurate ossec.conf at the manager: 

<command>
<name>example</name>
<executable>/var/ossec/etc/shared/example.sh</executable>
<timeout_allowed>no</timeout_allowed>

</command>

And then make tipical AR configuration:

<active-response>
    <command>example</command>
    <location>local</location>
    <rules_group>attack,</rules_group>
  </active-response>

Will this work?

[Alberto Marín]

Hi Dmitriy,

we really appreciate your feedback and we will clarify and improve this part in the documentation.

Regarding your question, the correct and recommended way is to copy the file manually into the 'active-response' folder of the agents and just add the script name in the configuration.

Best regards.

Alberto Marin.



On Thursday, November 2, 2017 at 8:32:27 AM UTC-7, Dmitriy wrote:

[Dmitriy]

hank you.

Last qestion.

I have:

   <active-response>

    <command>ipset-drop</command>

    <location>local</location>

    <level>6</level>

    <rules_group>web,|attack,</rules_group>

  </active-response>

It work, but when detected rule with level 5 group of web or attack it also work. For example it work for rule.id 31101

How can I do that AR work when detected rules_group and level rule 6 or higher?

среда, 8 ноября 2017 г., 2:37:09 UTC+3 пользователь Alberto Marín написал:

[Alberto Marín]

Hi Dmitriy,

Both options <level> and <rules_group> are valid to enable the active-response, that means that only at least one of the conditions to launch active-response is necessary.

We are aware that this is not a very useful procedure and we will improve it in a future release.

Best regards.
Alberto Marin

On Thursday, November 2, 2017 at 8:32:27 AM UTC-7, Dmitriy wrote:

[Yolanda Prieto]

Hi Martin

Hi Dimitri

This is post is very useful

I am following every details  in the configuration. ( I donde t created any custome rule)  Should I?

And after do 

 /var/ossec/bin/agent_control -b 192.168.50.155 -f firewall-drop0 -u 008

I didnt get any thing in:

-rwxrwxrwx. 1 ossec ossec 0 Oct 12 09:33 /var/ossec/logs/active-responses.log

Why?

What I am missing?

thanks for any help

Regards

 Yolanda Prieto

[Dmitriy]

Do you reboot Manager after changed  ossec.conf of Manager?  

Will you can get ossec.conf with <active-responce> <command>  and etc/shared/ar.conf here?

среда, 29 ноября 2017 г., 4:22:23 UTC+3 пользователь Yolanda Prieto написал:

[Yolanda Prieto]

Hi Dimitri
Thanks very much for your quick response !

Do you reboot Manager after changed  ossec.conf of Manager?  

Yes, I restarted the ossec manager after changed

Will you can get ossec.conf with <active-responce> <command>  and etc/shared/ar.conf here?

here the  information you asking for:

[root@centos7endmc19 etc]# pwd
/var/ossec/etc
[root@centos7endmc19 etc]# ll shared/ar.conf
-rw-r-----. 1 root ossec 115 Nov 28 16:57 shared/ar.conf

less ar.conf
restart-ossec0 - restart-ossec.sh - 0
restart-ossec0 - restart-ossec.cmd - 0

firewall-drop0 - firewall-drop.sh - 0

 
I only made configuration   in the manager, but the location is local:  <location> local </location> ( agent) How it should works? I am not sure.

I know that if <location> is  local, the response should be execute in the agent, but I should configure or copy something else( script or something)  to the agent?

Here the ossec.conf in the manager:

<active-response>
    <command>firewall-drop</command>
    <location>local</location>
    <rules_group>web,|attack,</rules_group>
  </active-response>

 <command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>

    <timeout_allowed>yes</timeout_allowed>
  </command>

Do you know where I can get information about which attacks are included in this group web\attack??????:  <rules_group>web,|attack,</rules_group>

Any idea o suggestion to resolve the active-reponse configuration and have this working will be highly appreciate.

Regards

 Yolanda Prieto

[Cristóbal López]

Hi Yolanda,

What is the agent's operating system where you are trying to replicate the active response? If it is Windows, firewall-drop.sh won't work on it.

Best regards,
Cristobal Lopez.

[yol...@saitechnology.com]

Hi Cristobal,

Yes, yesterday I learn this in this site: http://ossec-docs.readthedocs.io/en/latest/manual/ar/ar-unix.html

But I should anyway get something register in the active response log in the manager?

In the same link i learned the following:

The active reponse configuration have the following parameter:

    location: Where the command should be executed. You have four options:
         local: on the agent that generated the event
         server: on the OSSEC server
         defined-agent: on a specific agent (when using this option, you need to set the agent_id to use)
         all: or everywhere.

I sould chose location as "server" ? Or as "all" better? , so because the manager live always in Linux, should execute

firewall-drop anyways?

Please advise.
I am kind of confuse.

Thanks a lot for any idea or clarification you could provide to me.

Regards
 Yolamda

 --
You received this message because you are subscribed to the Google
Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit
https://groups.google.com/d/msgid/wazuh/f2778a0d-97a9-41c2-84d7-683bbb8cbc6e%40googlegroups.com
[1].
For more options, visit https://groups.google.com/d/optout.


Links:
------
[1]
https://groups.google.com/d/msgid/wazuh/f2778a0d-97a9-41c2-84d7-683bbb8cbc6e%40googlegroups.com?utm_medium=email&utm_source=footer

[Cristóbal López]

Hi Yolanda,

When we want the active response to be executed in the agent that generated the alert that triggered it, we use local. However, it makes sense that active responses such as firewall-drop are run with all in order to apply this temporary restriction to all agents and the manager, thus preventing a possible attack that could not only affect the agent that triggers the alert.

You can find an example of how to use this active response here:
https://documentation.wazuh.com/current/user-manual/capabilities/active-response/remediation-configuration.html#add-an-ip-to-the-iptables-deny-list

Best regards,
Cristobal Lopez.

[Dmitriy]

Hi Yolanda.

How I understand, do you wait logs into active-responses.logs on Manager?  If you have active-response <location>local</location> you get logs into agent that genarated alert. In your case it's agent 008 (but if it *nix sistem).

четверг, 30 ноября 2017 г., 19:42:40 UTC+3 пользователь yol...@saitechnology.com написал:

an email to wazuh+unsubscribe@googlegroups.com.

[Cristóbal López]

Hi,

As Dmitriy says, you can only see the log in the agent or manger where the active response is executed because in active-response.log only write the active-response scripts when executed.

If you want to monitor the active-response.log of the agents from the manager, you can add this:

<localfile>
  <location>Path to active-response.log</location>
  <log_format>syslog</log_format>
</localfile>

Best regards,
Cristobal Lopez.

[yol...@saitechnology.com]

Hi Cristobal, Dimitri

Thanks for your response.

 

I have a doubt:

 

I learned based on: http://ossec-docs.readthedocs.io/en/latest/manual/ar/ar-unix.html

That

• location: Where the command should be executed. You have four options:

  • local: on the agent that generated the event
  • server: on the OSSEC server
  • defined-agent: on a specific agent (when using this option, you need to set the agent_id to use)
  • all: or everywhere.

 

If I have configured for example firewall-drop, but If I  chose location: "all",  and I have  agents in Windows, how i could execute it in "all", if windows does not have fiewall-drop script?

 

I have been looking in different sources, but still I have those doubt?

 

I configured, based Dmitriv, something similar like that:

 

<!-- Active response -->


  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>no</timeout_allowed>
  </command>


  <active-response>
    <command>firewall-drop</command>
    <location>local</location>
    <rules_group>web,|attack,</rules_group>
  </active-response>

 

What could be a attack?

 

Because we can test it using some tools like :

 

• http://www.hacking-tutorial.com/hacking-tutorial/kali-linux-man-middle-attack/
• https://ourcodeworld.com/articles/read/422/how-to-perform-a-man-in-the-middle-mitm-attack-with-kali-linux

It could be detected by Wazuh as attack?

Regards

 Yolanda

 

 

 

 

On 2017-12-01 08:27, Cristóbal López wrote:

Hi,

As Dmitriy says, you can only see the log in the agent or manger where

the active response is executed because in ACTIVE-RESPONSE.LOG only

write the active-response scripts when executed.

If you want to monitor the ACTIVE-RESPONSE.LOG of the agents from the

manager, you can add this:

<localfile>
  <location>Path to active-response.log</location>
  <log_format>syslog</log_format>
</localfile>

Best regards,
Cristobal Lopez.

 --
You received this message because you are subscribed to the Google
Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send

an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit

https://groups.google.com/d/msgid/wazuh/8dbf55af-e898-4a4e-99dd-64787ad529f9%40googlegroups.com

[1].
For more options, visit https://groups.google.com/d/optout.


Links:
------
[1]

https://groups.google.com/d/msgid/wazuh/8dbf55af-e898-4a4e-99dd-64787ad529f9%40googlegroups.com?utm_medium=email&utm_source=footer

[Cristóbal López]

Hi Yolanda,

Windows agents cannot run firewall-drop because they don't have the script. Still, you can activate an active response with the win_route-null command, which achieves the same effect by a different way, indicating the same trigger condition.

Wazuh detects as an attack the log that matchs the rules of the ruleset in the attack group. If you find a log that should trigger an alert and it doesn't, let us know.

Best regards,
Cristobal Lopez.
 

[Yolanda Prieto]

Hi Cristobal

Hi Dimitri,

Thanks for your responses.

I was trying to acomplsih the SSH brute force attacks based on  the block:   

https://blog.wazuh.com/blocking-attacks-active-response/

and in the manager  ( Centos7  where I previously configured firewalld, it works well)

1) Then I was trying to do the same Proof of concept in a windows agent, even I  was trying to see by  alerts.log the rule triggered,  but I can not see the any rule related  to SSH  fired, looks like because of the following reason:

 

Linux and macOS utilities for thwarting brute-force login attempts like SSHGuard and Fail2Ban are not available on Windows. Although they both run in the Windows Subsystem for Linux, they don’t have access to nor parsers for the Windows Event Log nor backends for the Windows Firewall.

1) Are you tried to run this  SSH brute force attacks? Works for you and yoy can get the SSH rule fired on windows?

Another question:

To be able to use the active-reponse firewall-drop in linux I had the firewalld service configured.

2) For windows how it could works? To be able to use route-null.cmd to block the ip offender?

3)  Do you have some repository with some useful .cmd  to be used in active response? In my windows installation I only have those:

restart-ossec.cmd

route-null.cmd

Any information regarding to this 3)  question will be highly appreciate.

Thanks and Regards,

 Yolanda Prieto