Active-Response

[TheMTG]

Hey, I am trying to make an active response when someone tries to brute force rpt (remote desktop protocol) On my endpoints (agents-windows)
I have pasted this in the ossec.conf file. When I try to manually type the password wrong multiple times I just get an alert, no response blocking me for 120 seconds. <ossec_config>

  <active-response>

    <command>firewall-drop</command>

    <location>local</location>

 <rules_id>60204</rules_id>

        <timeout>120</timeout>

  </active-response>

</ossec_config>

[TheMTG]

<command> <name>firewall-drop</name> <executable>firewall-drop</executable> <timeout_allowed>yes</timeout_allowed> </command>  Is true in the conf

[Pacome Kemkeu]

Hello,
Firewall-drop active response script is used to block IP addresses on Linux endpoints only.
In order to block IP addresses on Windows endpoints, you can use netsh active response.
Your active response block will then, look as follows:
  <active-response>
    <command>netsh</command>

    <location>local</location>
    <rules_id>60204</rules_id>
    <timeout>120</timeout>
  </active-response>

Your issue is the one performed in our Detecting a brute-force attack PoC use case, kindly take a look at it.
In the same time, I recommend you also take a look at how it is used in the Blocking a known malicious actor PoC use case.

I hope you find this helpful.

[TheMTG]

Thanks! 

[TheMTG]

I change the script, but i don't work. I just get the alert, but no response

[Pacome Kemkeu]

Kindly share with me the configuration you applied in your ossec.conf file and a screenshot of the alert on your dashboard please.