Active Response - route-null

[Kotory]

Hello wazuh team.
I'm beginner and trying to figure out the way to block certain hosts/IPs when malicious activity is detected (brute force rdp/ssh connection for instance)
"Firewall-drop'' on linux based machines works as intended without any issue, while windows ''route-null" AR seems to be faulty.

I created quite basic AR test task which looks like that

 <active-response>
    <command>win_route-null</command>
    <location>local</location>
    <rules_id>60204</rules_id>
    <timeout>90</timeout>
  </active-response>

which basically supposed to block the attacker at multiple failed windows logons.

When i'm trying to brute force RDP connection wazuh detects it and AR is being applied.
However, it doesn't do anything, attacker still continues brute force session.

I checked routing table with ''route print'' and I can see added by AR route. In my case it's

================================================
Persistent Routes:
  Network Address          Netmask         Gateway Address  Metric
          0.0.0.0                      0.0.0.0                192.168.48.2      Default
   192.168.48.100      255.255.255.255     192.168.48.2           1
=================================================

Added route destination IP is the same as the default gateway.
Doesn't null-routing supposed to route packets to nonexistent IP instead of legit DG? Am I missing something?

Thank you.

[antonio....@wazuh.com]

Hello dk221285
The first thing we will need:

• Wazuh Version
• OS
• Active configuration.

The active configuration can be retrieved using the Wazuh API executing the following commands from the manager:

• Get the authentication token: TOKEN=$(curl -u <user>:<password> -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
• Request the active-response configuration to the API: curl -u '<user>:<password>' -k -X GET 'https://localhost:55000/agents/<agentid>/config/com/active-response' -H "Authorization: Bearer $TOKEN"
• Request the command configuration to the API: curl -u '<user>:<password>' -k -X GET 'https://localhost:55000/agents/<agentid>/analysis/command' -H "Authorization: Bearer $TOKEN"

In order to debug Active Response the first step is to enable the debug mode (I’m supposing that you are using windows). To do this, add the following line to the file C:\Program Files (x86)\ossec-agent\local_internal_options.conf:

windows.debug=2

This will enable the debug mode for all the components, so in order to reduce the verbosity, you will need to temporarily disable the rest of the modules (syscollector, syscheck, rootcheck, and sca), otherwise, it won’t be easy to search for the proper logs.
After enabling the debug mode, restart the windows agent in order to apply these changes.

Once this is done, we will be able to see if the active response is properly executed or not. Successful execution of the AR should print the following output to the C:\Program Files (x86)\ossec-agent\ossec.log file:

2022/07/14 09:52:37 wazuh-agent[3924] receiver-win.c:128 at receiver_thread(): DEBUG: Received message: '#!-execd {"version":1,"origin":{"name":"node01","module":"wazuh-analysisd"},"command":"configured-command","parameters":{"extra_args":[],"alert":{json alert}}}'
2022/07/14 09:52:37 wazuh-agent[3924] notify.c:135 at run_notify(): DEBUG: Sending agent notification.
2022/07/14 09:52:37 wazuh-agent[3924] exec.c:102 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.sh'. Not using it on this system.
2022/07/14 09:52:37 wazuh-agent[3924] notify.c:204 at run_notify(): DEBUG: Sending keep alive: #!-Microsoft Windows Server 2016 Standard Evaluation [Ver: 10.0.14393] - Wazuh v4.3.4 / e147842d28981caf8eec9e13a9edc661
77606329ed44b1c5c8403ec9b3fbf381 merged.mg
#"_agent_ip":10.0.2.15

2022/07/14 09:52:37 wazuh-agent[3924] exec.c:102 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.cmd'. Not using it on this system.
2022/07/14 09:52:37 wazuh-agent[3924] exec.c:102 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.sh'. Not using it on this system.
2022/07/14 09:52:37 wazuh-agent[3924] receiver-win.c:128 at receiver_thread(): DEBUG: Received message: '#!-agent ack '
2022/07/14 09:52:37 wazuh-agent[3924] exec.c:102 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.cmd'. Not using it on this system.
2022/07/14 09:52:37 wazuh-agent[3924] exec.c:102 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-wazuh'. Not using it on this system.
2022/07/14 09:52:37 wazuh-agent[3924] win_execd.c:228 at WinExecdRun(): DEBUG: Executing command 'active-response/bin/configured-task.cmd {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{alert_information},"location":"EventChannel"},"program":"active-response/bin/configured-task.cmd"}}'
2022/07/14 09:52:37 wazuh-agent[3924] exec_op.c:131 at wpopenv(): DEBUG: path = 'active-response/bin/configured-task.cmd', command = '"active-response/bin/analyze-scheduled-task.cmd"'
2022/07/14 09:52:37 wazuh-agent[3924] logcollector.c:485 at LogCollectorStart(): DEBUG: Performing file check.
2022/07/14 09:52:38 wazuh-agent[3924] state.c:67 at write_state(): DEBUG: Updating state file.

I also recommend you to read these pages of the documentation:

• https://documentation.wazuh.com/current/user-manual/capabilities/active-response/how-it-works.html
• https://documentation.wazuh.com/current/user-manual/capabilities/active-response/
• https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent_controller.get_agent_config

​