Active response config not working appropriately
133 views
Skip to first unread message
Arthur Henrique Oliveira Aparício
Jan 6, 2025, 8:38:35 AMJan 6
to Wazuh | Mailing List
Hello, I hope this message finds you well.
I have an implementation of All in One, in the latest version, which has had active response implemented for about a year. The block only had simple changes to add rules, however, due to the need for a customized script, I created a new command block (referring to the python script that I customized based on the documentation) and an active response block. One of the rules from the old block was deleted and placed only in this new block (they will be at the end of the text). However, this rule (31151) is still activating the first block that uses the firewall-drop, instead of activating the second, with the custom script, even though it is not in it.
Furthermore, one thing I recently noticed when testing the rule is that, in a specific agent (where the script is in the folder, like the Wazuh server), it has the repeated offenders configuration activated, but at some point, it stopped working. increase the time (which starts at 10 minutes as a base for everyone and increases to 1 hour, 12 hours and 24 hours for this specific one).
The command block:
<command>
<name>diotg-firewall-drop</name>
<executable>custom-diotg-firewall-drop.py</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
The old block:
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>location</location>
<level>10</level>
<rules_id>31106,31516,31168,31104,31164,31103,31105,31508,30305,30306,5712,5551,5718,31514,31110</rules_id>
<timeout>600</timeout>
</active-response>
The new block:
<active-response>
<disabled>no</disabled>
<command>diotg-firewall-drop</command>
<location>local</location>
<rules_id>31151</rules_id>
<timeout>60</timeout>
</active-response>
<disabled>no</disabled>
<command>diotg-firewall-drop</command>
<location>local</location>
<rules_id>31151</rules_id>
<timeout>60</timeout>
</active-response>
Olamilekan Abdullateef Ajani
Jan 6, 2025, 11:35:07 AMJan 6
to Wazuh | Mailing List
Hello,
Your configuration seem to be correct. Could you please share the content of the
/var/ossec/logs/active-responses.log file?
Please let me know
Arthur Henrique Oliveira Aparício
Jan 6, 2025, 12:38:43 PMJan 6
to Wazuh | Mailing List
Hello,
Today, the rule was not triggered once, but yesterday it was, according to the log, and the configuration has been created since last thursday.
This is a example:
2025/01/05 23:46:52 active-response/bin/firewall-drop: Starting
2025/01/05 23:46:52 active-response/bin/firewall-drop: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2025-01-05T23:37:04.678-0300","rule":{"level":10,"description":"Multiple web server 400 error codes from same source ip.","id":"31151","mitre":{"id":["T1595.002"],"tactic":["Reconnaissance"],"technique":["Vulnerability Scanning"]},"frequency":14,"firedtimes":1,"mail":true,"groups":["web","accesslog","web_scan","recon"],"pci_dss":["6.5","11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SA.11","SI.4"],"tsc":["CC6.6","CC7.1","CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"078","name":"xxx","ip":"xxx.xxx.xxx.xxx"},"manager":{"name":"xxx"},"id":"1736131024.936826120","previous_output":"196.119.225.107 - - [05/Jan/2025:23:36:49 -0300] \"GET //test/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"\n196.119.225.107 - - [05/Jan/2025:23:36:49 -0300] \"GET //wp1/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"\n196.119.225.107 - - [05/Jan/2025:23:36:48 -0300] \"GET //shop/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"\n196.119.225.107 - - [05/Jan/2025:23:36:48 -0300] \"GET //2019/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"\n196.119.225.107 - - [05/Jan/2025:23:36:44 -0300] \"GET //2020/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"\n196.119.225.107 - - [05/Jan/2025:23:36:44 -0300] \"GET //news/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"\n196.119.225.107 - - [05/Jan/2025:23:36:44 -0300] \"GET //wp/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"\n196.119.225.107 - - [05/Jan/2025:23:36:31 -0300] \"GET //website/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"\n196.119.225.107 - - [05/Jan/2025:23:36:30 -0300] \"GET //web/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"\n196.119.225.107 - - [05/Jan/2025:23:36:30 -0300] \"GET //wordpress/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"\n196.119.225.107 - - [05/Jan/2025:23:36:29 -0300] \"GET //blog/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"","full_log":"196.119.225.107 - - [05/Jan/2025:23:36:50 -0300] \"GET //wp2/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"","decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"196.119.225.107","id":"404","url":"//wp2/wp-includes/wlwmanifest.xml"},"location":"/var/log/httpd/access_log"},"program":"active-response/bin/firewall-drop"}}
2025/01/05 23:46:52 active-response/bin/firewall-drop: Ended
2025/01/05 23:46:52 active-response/bin/firewall-drop: Starting
2025/01/05 23:46:52 active-response/bin/firewall-drop: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2025-01-05T23:37:04.678-0300","rule":{"level":10,"description":"Multiple web server 400 error codes from same source ip.","id":"31151","mitre":{"id":["T1595.002"],"tactic":["Reconnaissance"],"technique":["Vulnerability Scanning"]},"frequency":14,"firedtimes":1,"mail":true,"groups":["web","accesslog","web_scan","recon"],"pci_dss":["6.5","11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SA.11","SI.4"],"tsc":["CC6.6","CC7.1","CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"078","name":"xxx","ip":"xxx.xxx.xxx.xxx"},"manager":{"name":"xxx"},"id":"1736131024.936826120","previous_output":"196.119.225.107 - - [05/Jan/2025:23:36:49 -0300] \"GET //test/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"\n196.119.225.107 - - [05/Jan/2025:23:36:49 -0300] \"GET //wp1/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"\n196.119.225.107 - - [05/Jan/2025:23:36:48 -0300] \"GET //shop/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"\n196.119.225.107 - - [05/Jan/2025:23:36:48 -0300] \"GET //2019/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"\n196.119.225.107 - - [05/Jan/2025:23:36:44 -0300] \"GET //2020/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"\n196.119.225.107 - - [05/Jan/2025:23:36:44 -0300] \"GET //news/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"\n196.119.225.107 - - [05/Jan/2025:23:36:44 -0300] \"GET //wp/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"\n196.119.225.107 - - [05/Jan/2025:23:36:31 -0300] \"GET //website/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"\n196.119.225.107 - - [05/Jan/2025:23:36:30 -0300] \"GET //web/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"\n196.119.225.107 - - [05/Jan/2025:23:36:30 -0300] \"GET //wordpress/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"\n196.119.225.107 - - [05/Jan/2025:23:36:29 -0300] \"GET //blog/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"","full_log":"196.119.225.107 - - [05/Jan/2025:23:36:50 -0300] \"GET //wp2/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36\"","decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"196.119.225.107","id":"404","url":"//wp2/wp-includes/wlwmanifest.xml"},"location":"/var/log/httpd/access_log"},"program":"active-response/bin/firewall-drop"}}
2025/01/05 23:46:52 active-response/bin/firewall-drop: Ended
Olamilekan Abdullateef Ajani
Jan 9, 2025, 4:00:15 AMJan 9
to Wazuh | Mailing List
Hello Arthur,
To also help understand the challenge, I would like to ask what type of setup do you have, single node or multi-node clusters. IF multi-node, could you check if you have replicated the configuration to the other manager?
That may seem like an issue why it still keeps referencing the previous response script.
And beyond that, after applying the configuration, did you restart the manager? systemctl restart wazuh-manager.
You need to restart the manager for the changes to take effect.
If after all this, you cannot see positive changes, please share the ossec log related to active response in /var/ossec/logs/ossec.log.
I await feedback from you
To also help understand the challenge, I would like to ask what type of setup do you have, single node or multi-node clusters. IF multi-node, could you check if you have replicated the configuration to the other manager?
That may seem like an issue why it still keeps referencing the previous response script.
And beyond that, after applying the configuration, did you restart the manager? systemctl restart wazuh-manager.
You need to restart the manager for the changes to take effect.
If after all this, you cannot see positive changes, please share the ossec log related to active response in /var/ossec/logs/ossec.log.
I await feedback from you
Arthur Henrique Oliveira Aparício
Jan 9, 2025, 6:05:02 AMJan 9
to Wazuh | Mailing List
Hello,
I'm using a single node configuration, and I restarted the manager. About the logs, in
/var/ossec/logs/ossec.log I didn't find any logs about active response, and in /var/ossec/logs/active-response.log, the only thing that I found was like the other log that I already paste here.
2025/01/08 22:35:40 active-response/bin/firewall-drop: Starting
2025/01/08 22:35:40 active-response/bin/firewall-drop: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2025-01-08T22:36:07.651-0300","rule":{"level":10,"description":"Multiple web server 400 error codes from same source ip.","id":"31151","mitre":{"id":["T1595.002"],"tactic":["Reconnaissance"],"technique":["Vulnerability Scanning"]},"frequency":14,"firedtimes":1,"mail":true,"groups":["web","accesslog","web_scan","recon"],"pci_dss":["6.5","11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SA.11","SI.4"],"tsc":["CC6.6","CC7.1","CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"078","name":"xxx","ip":"xxx"},"manager":{"name":"xxx"},"id":"1736386567.1012795979","previous_output":"130.61.37.96 - - [08/Jan/2025:22:35:37 -0300] \"GET /phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:35 -0300] \"GET /phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:33 -0300] \"GET /phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:31 -0300] \"GET /phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:29 -0300] \"GET /vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:27 -0300] \"GET /vendor/phpunit/phpunit/LICENSE/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:25 -0300] \"GET /vendor/phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:23 -0300] \"GET /vendor/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:22 -0300] \"GET /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:20 -0300] \"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:18 -0300] \"POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"","full_log":"130.61.37.96 - - [08/Jan/2025:22:35:38 -0300] \"GET /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"","decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"130.61.37.96","id":"404","url":"/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php"},"location":"/var/log/httpd/access_log"},"program":"active-response/bin/firewall-drop"}}
2025/01/08 22:35:40 active-response/bin/firewall-drop: {"version":1,"origin":{"name":"firewall-drop","module":"active-response"},"command":"check_keys","parameters":{"keys":["130.61.37.96"]}}
2025/01/08 22:35:40 active-response/bin/firewall-drop: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"continue","parameters":{"extra_args":[],"alert":{"timestamp":"2025-01-08T22:36:07.651-0300","rule":{"level":10,"description":"Multiple web server 400 error codes from same source ip.","id":"31151","mitre":{"id":["T1595.002"],"tactic":["Reconnaissance"],"technique":["Vulnerability Scanning"]},"frequency":14,"firedtimes":1,"mail":true,"groups":["web","accesslog","web_scan","recon"],"pci_dss":["6.5","11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SA.11","SI.4"],"tsc":["CC6.6","CC7.1","CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"078","name":"xxx","ip":"x"},"manager":{"name":"xxx"},"id":"1736386567.1012795979","previous_output":"130.61.37.96 - - [08/Jan/2025:22:35:37 -0300] \"GET /phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:35 -0300] \"GET /phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:33 -0300] \"GET /phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:31 -0300] \"GET /phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:29 -0300] \"GET /vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:27 -0300] \"GET /vendor/phpunit/phpunit/LICENSE/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:25 -0300] \"GET /vendor/phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:23 -0300] \"GET /vendor/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:22 -0300] \"GET /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:20 -0300] \"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:18 -0300] \"POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"","full_log":"130.61.37.96 - - [08/Jan/2025:22:35:38 -0300] \"GET /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"","decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"130.61.37.96","id":"404","url":"/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php"},"location":"/var/log/httpd/access_log"},"program":"active-response/bin/firewall-drop"}}
2025/01/08 22:35:40 active-response/bin/firewall-drop: Ended
2025/01/08 22:45:41 active-response/bin/firewall-drop: Starting
2025/01/08 22:45:41 active-response/bin/firewall-drop: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2025-01-08T22:36:07.651-0300","rule":{"level":10,"description":"Multiple web server 400 error codes from same source ip.","id":"31151","mitre":{"id":["T1595.002"],"tactic":["Reconnaissance"],"technique":["Vulnerability Scanning"]},"frequency":14,"firedtimes":1,"mail":true,"groups":["web","accesslog","web_scan","recon"],"pci_dss":["6.5","11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SA.11","SI.4"],"tsc":["CC6.6","CC7.1","CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"078","name":"xxx","ip":"xxx"},"manager":{"name":"xxx"},"id":"1736386567.1012795979","previous_output":"130.61.37.96 - - [08/Jan/2025:22:35:37 -0300] \"GET /phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:35 -0300] \"GET /phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:33 -0300] \"GET /phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:31 -0300] \"GET /phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:29 -0300] \"GET /vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:27 -0300] \"GET /vendor/phpunit/phpunit/LICENSE/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:25 -0300] \"GET /vendor/phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:23 -0300] \"GET /vendor/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:22 -0300] \"GET /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:20 -0300] \"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:18 -0300] \"POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"","full_log":"130.61.37.96 - - [08/Jan/2025:22:35:38 -0300] \"GET /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"","decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"130.61.37.96","id":"404","url":"/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php"},"location":"/var/log/httpd/access_log"},"program":"active-response/bin/firewall-drop"}}
2025/01/08 22:45:41 active-response/bin/firewall-drop: Ended
2025/01/08 22:35:40 active-response/bin/firewall-drop: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2025-01-08T22:36:07.651-0300","rule":{"level":10,"description":"Multiple web server 400 error codes from same source ip.","id":"31151","mitre":{"id":["T1595.002"],"tactic":["Reconnaissance"],"technique":["Vulnerability Scanning"]},"frequency":14,"firedtimes":1,"mail":true,"groups":["web","accesslog","web_scan","recon"],"pci_dss":["6.5","11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SA.11","SI.4"],"tsc":["CC6.6","CC7.1","CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"078","name":"xxx","ip":"xxx"},"manager":{"name":"xxx"},"id":"1736386567.1012795979","previous_output":"130.61.37.96 - - [08/Jan/2025:22:35:37 -0300] \"GET /phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:35 -0300] \"GET /phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:33 -0300] \"GET /phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:31 -0300] \"GET /phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:29 -0300] \"GET /vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:27 -0300] \"GET /vendor/phpunit/phpunit/LICENSE/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:25 -0300] \"GET /vendor/phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:23 -0300] \"GET /vendor/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:22 -0300] \"GET /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:20 -0300] \"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:18 -0300] \"POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"","full_log":"130.61.37.96 - - [08/Jan/2025:22:35:38 -0300] \"GET /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"","decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"130.61.37.96","id":"404","url":"/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php"},"location":"/var/log/httpd/access_log"},"program":"active-response/bin/firewall-drop"}}
2025/01/08 22:35:40 active-response/bin/firewall-drop: {"version":1,"origin":{"name":"firewall-drop","module":"active-response"},"command":"check_keys","parameters":{"keys":["130.61.37.96"]}}
2025/01/08 22:35:40 active-response/bin/firewall-drop: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"continue","parameters":{"extra_args":[],"alert":{"timestamp":"2025-01-08T22:36:07.651-0300","rule":{"level":10,"description":"Multiple web server 400 error codes from same source ip.","id":"31151","mitre":{"id":["T1595.002"],"tactic":["Reconnaissance"],"technique":["Vulnerability Scanning"]},"frequency":14,"firedtimes":1,"mail":true,"groups":["web","accesslog","web_scan","recon"],"pci_dss":["6.5","11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SA.11","SI.4"],"tsc":["CC6.6","CC7.1","CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"078","name":"xxx","ip":"x"},"manager":{"name":"xxx"},"id":"1736386567.1012795979","previous_output":"130.61.37.96 - - [08/Jan/2025:22:35:37 -0300] \"GET /phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:35 -0300] \"GET /phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:33 -0300] \"GET /phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:31 -0300] \"GET /phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:29 -0300] \"GET /vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:27 -0300] \"GET /vendor/phpunit/phpunit/LICENSE/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:25 -0300] \"GET /vendor/phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:23 -0300] \"GET /vendor/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:22 -0300] \"GET /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:20 -0300] \"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:18 -0300] \"POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"","full_log":"130.61.37.96 - - [08/Jan/2025:22:35:38 -0300] \"GET /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"","decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"130.61.37.96","id":"404","url":"/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php"},"location":"/var/log/httpd/access_log"},"program":"active-response/bin/firewall-drop"}}
2025/01/08 22:35:40 active-response/bin/firewall-drop: Ended
2025/01/08 22:45:41 active-response/bin/firewall-drop: Starting
2025/01/08 22:45:41 active-response/bin/firewall-drop: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2025-01-08T22:36:07.651-0300","rule":{"level":10,"description":"Multiple web server 400 error codes from same source ip.","id":"31151","mitre":{"id":["T1595.002"],"tactic":["Reconnaissance"],"technique":["Vulnerability Scanning"]},"frequency":14,"firedtimes":1,"mail":true,"groups":["web","accesslog","web_scan","recon"],"pci_dss":["6.5","11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SA.11","SI.4"],"tsc":["CC6.6","CC7.1","CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"078","name":"xxx","ip":"xxx"},"manager":{"name":"xxx"},"id":"1736386567.1012795979","previous_output":"130.61.37.96 - - [08/Jan/2025:22:35:37 -0300] \"GET /phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:35 -0300] \"GET /phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:33 -0300] \"GET /phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:31 -0300] \"GET /phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:29 -0300] \"GET /vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:27 -0300] \"GET /vendor/phpunit/phpunit/LICENSE/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:25 -0300] \"GET /vendor/phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:23 -0300] \"GET /vendor/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:22 -0300] \"GET /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:20 -0300] \"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"\n130.61.37.96 - - [08/Jan/2025:22:35:18 -0300] \"POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"","full_log":"130.61.37.96 - - [08/Jan/2025:22:35:38 -0300] \"GET /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\" 404 196 \"-\" \"Custom-AsyncHttpClient\"","decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"130.61.37.96","id":"404","url":"/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php"},"location":"/var/log/httpd/access_log"},"program":"active-response/bin/firewall-drop"}}
2025/01/08 22:45:41 active-response/bin/firewall-drop: Ended
That is all I got.
Olamilekan Abdullateef Ajani
Jan 15, 2025, 3:16:13 AMJan 15
to Wazuh | Mailing List
Hello Arthur,
Aplogies for the late feedback.
From the logs you shared, I can see activities for firewall-drop and not diotg-firewall-drop. I would like to see if the Active response script is being triggered.
Could you verify if the rule 31151 is active, you can try to trigger an even based on this to be sure. Please check the osec.log file for some AR activity.
I can also see from your active response script that the <location> tag carries local. Could you please check the server ossec.log file where the events was triggered.
Please let me know
Aplogies for the late feedback.
From the logs you shared, I can see activities for firewall-drop and not diotg-firewall-drop. I would like to see if the Active response script is being triggered.
Could you verify if the rule 31151 is active, you can try to trigger an even based on this to be sure. Please check the osec.log file for some AR activity.
I can also see from your active response script that the <location> tag carries local. Could you please check the server ossec.log file where the events was triggered.
Please let me know
Arthur Henrique Oliveira Aparício
Jan 15, 2025, 5:54:23 AMJan 15
to Wazuh | Mailing List
Hello,
And, to be sure, I checked that the python file is present in the agent
I triggered the rule:
And this is what I have in the agent ossec.log:
About the manager, I have only this in ossec.log, because we are integrating Suricata:
Olamilekan Abdullateef Ajani
Jan 21, 2025, 6:22:40 AMJan 21
to Wazuh | Mailing List
Hello,
Apologies for the late feedback. I was also trying to simulate something similar to this but it works.
To try and figure out the issue here, I am unable to see active response activities from the log snapshots you shared.
How this works, when the rule gets triggered and active response starts operations, we are supposed to see these activities in the ossec.log to tell us the current status and what is been done at each moment. This would allow us isolate the issue.
Kindly trigger the rule once again and please share the full ossec.log file on both the agent and the Wazuh Server, please indicate the TIME you triggered this so we are able to track from the log file.
I await feedback from you
Arthur Henrique Oliveira Aparício
Jan 27, 2025, 12:10:45 PMJan 27
to Wazuh | Mailing List
Hello,
We were updating some systems (including wazuh), and now I can reproduce the problem.
The alert (that I triggered).
Log in manager (I don't have more logs and it's 02:10 p.m.)
Log in the agent
I don't know why I don't have logs about active response in ossec.log.
Olamilekan Abdullateef Ajani
Feb 4, 2025, 7:20:02 AMFeb 4
to Wazuh | Mailing List
Hello Arthur,
I would like to reproduce this issue in my Lab environment and see if it generates any output. Could you please share the log related to the rule 31151 from the alert.json file here /var/ossec/logs/alerts.json.
cat /var/ossec/logs/alerts.json | grep "part-of-the-log"
Also please share the active response scripts too.
Arthur Henrique Oliveira Aparício
Feb 5, 2025, 8:15:48 AMFeb 5
to Wazuh | Mailing List
Hello,
I tried to find any log related to the rule 31151 from /var/ossec/logs/alerts/alerts.json (I don't have the file =/var/ossec/logs/alerts.json), but nothing is returned.
About the script, I have this file: /var/ossec/active-response/bin/custom-diotg-firewall-drop.py
if msg.command == ADD_COMMAND:
""" Start Custom Key
At this point, it is necessary to select the keys from the alert and add them into the keys array.
"""
alert = msg.alert["parameters"]["alert"]
keys = [alert["rule"]["id"]]
""" End Custom Key """
action = send_keys_and_check_message(argv, keys)
# if necessary, abort execution
if action != CONTINUE_COMMAND:
if action == ABORT_COMMAND:
write_debug_file(argv[0], "Aborted")
sys.exit(OS_SUCCESS)
else:
write_debug_file(argv[0], "Invalid command")
sys.exit(OS_INVALID)
""" Start Custom Action Add """
with open("ar-test-result.txt", mode="a") as test_file:
test_file.write("Active response triggered by rule ID: <" + str(keys) + ">\n")
src_ip = alert.get("srcip")
if not src_ip:
write_debug_file(argv[0], "Source IP not found in alert")
sys.exit(OS_INVALID)
if not is_ip_in_range(src_ip):
write_debug_file(argv[0], f"IP {src_ip} is not in the allowed range (150.163.0.0/16). Ignoring.")
sys.exit(OS_SUCCESS)
block_command = f"iptables -A INPUT -s {src_ip} -j DROP"
# Executar o comando
try:
os.system(block_command)
write_debug_file(argv[0], f"Blocked IP: {src_ip} using iptables")
except Exception as e:
write_debug_file(argv[0], f"Error blocking IP: {src_ip}. Exception: {e}")
sys.exit(OS_INVALID)
""" End Custom Action Add """
elif msg.command == DELETE_COMMAND:
""" Start Custom Action Delete """
os.remove("ar-test-result.txt")
src_ip = alert.get("srcip")
if not src_ip:
write_debug_file(argv[0], "Source IP not found in alert")
sys.exit(OS_INVALID)
unblock_command = f"iptables -D INPUT -s {src_ip} -j DROP"
try:
os.system(unblock_command)
write_debug_file(argv[0], f"Unblocked IP: {src_ip} using iptables")
except Exception as e:
write_debug_file(argv[0], f"Error unblocking IP: {src_ip}. Exception: {e}")
sys.exit(OS_INVALID)
""" End Custom Action Delete """
I copied the file from the documentation and add only a verification for an IP range and the block command.
About the script, I have this file: /var/ossec/active-response/bin/custom-diotg-firewall-drop.py
if msg.command == ADD_COMMAND:
""" Start Custom Key
At this point, it is necessary to select the keys from the alert and add them into the keys array.
"""
alert = msg.alert["parameters"]["alert"]
keys = [alert["rule"]["id"]]
""" End Custom Key """
action = send_keys_and_check_message(argv, keys)
# if necessary, abort execution
if action != CONTINUE_COMMAND:
if action == ABORT_COMMAND:
write_debug_file(argv[0], "Aborted")
sys.exit(OS_SUCCESS)
else:
write_debug_file(argv[0], "Invalid command")
sys.exit(OS_INVALID)
""" Start Custom Action Add """
with open("ar-test-result.txt", mode="a") as test_file:
test_file.write("Active response triggered by rule ID: <" + str(keys) + ">\n")
src_ip = alert.get("srcip")
if not src_ip:
write_debug_file(argv[0], "Source IP not found in alert")
sys.exit(OS_INVALID)
if not is_ip_in_range(src_ip):
write_debug_file(argv[0], f"IP {src_ip} is not in the allowed range (150.163.0.0/16). Ignoring.")
sys.exit(OS_SUCCESS)
block_command = f"iptables -A INPUT -s {src_ip} -j DROP"
# Executar o comando
try:
os.system(block_command)
write_debug_file(argv[0], f"Blocked IP: {src_ip} using iptables")
except Exception as e:
write_debug_file(argv[0], f"Error blocking IP: {src_ip}. Exception: {e}")
sys.exit(OS_INVALID)
""" End Custom Action Add """
elif msg.command == DELETE_COMMAND:
""" Start Custom Action Delete """
os.remove("ar-test-result.txt")
src_ip = alert.get("srcip")
if not src_ip:
write_debug_file(argv[0], "Source IP not found in alert")
sys.exit(OS_INVALID)
unblock_command = f"iptables -D INPUT -s {src_ip} -j DROP"
try:
os.system(unblock_command)
write_debug_file(argv[0], f"Unblocked IP: {src_ip} using iptables")
except Exception as e:
write_debug_file(argv[0], f"Error unblocking IP: {src_ip}. Exception: {e}")
sys.exit(OS_INVALID)
""" End Custom Action Delete """
I copied the file from the documentation and add only a verification for an IP range and the block command.
DG
Feb 7, 2025, 12:08:50 PMFeb 7
to Wazuh | Mailing List
I am having similar issues with a python script that I created for active response integration. I am hoping this could be useful in troubleshooting as I have done a fair amount of troubleshooting myself. 
So I manually tried to trigger the cloudflare-block.py script within the docker container but it would fail. So I needed to create a cloudflare-block.sh script to call the cloudflare-block.py script.
To me this .sh script is needed to call the .py script.
The python script is looking is for an alert generated by active response to add in the command "add" action. But for some reason, this is not happening. It never gets to this stage of the process. However, if you use firewall-drop command in active response ossec.config. the active response works. It just does not work for any custom active response scripts.
This is me manually triggering the scripts with a json payload from within the docker wazuh manager
Checked cloudflare and confirmed the IP is added to the custom list.
Not sure if this will help in the troubleshooting process, but wanted to give troubleshooting steps for a similar problem that I am still trying to figure out.
Olamilekan Abdullateef Ajani
Feb 17, 2025, 8:57:27 AMFeb 17
to Wazuh | Mailing List
Hello Arthur,
I have tested your active script and it seem not to work. I believe there is an issue with the python script. Could you please confirm this is the same you have been using previously as I see this was copied from the documentation just like you also mentioned.
Another thing to point out is, I hope you realize rule ID 31151 is a frequency based rule which can only trigger when the set event are met, <rule id="31151" level="10" frequency="14" timeframe="90">.
The default firewall block active response script works just fine, I also tested that, because I see thats similar to what you are trying to achieve here. Kindly review the script, you can also reference the documentation here. But please let me know.
If you require further assistance on this, please capture the logs and also share the working script you have.
If you require further assistance on this, please capture the logs and also share the working script you have.
cat /var/ossec/logs/alerts/alerts.json | grep "rule-31151-example-logs"
Reply all
Reply to author
Forward
0 new messages