Active Response rule and RDP

[Oliver Olsen]

Hi there,

Been tinkering with an Active Response rule that blocks brute force RDP attacks, but I cannot seem to get the hang of this. I've found a few pieces of info in this group as well as a few other posts, but I'm quite sure I'm missing out of something or have some syntax error/missing logic. 

Platform for the Wazuh install is Debian 12.1 and Wazuh 4.5.2-1 (3 indexers, 3 managers, 1 dashboard and 1 Nginx loadbalancer). Everything seems to work as expected, but Active Response on Windows is a bit more tricky than expected.

On the Windows 2022 agent I've changed the osscd.conf to use 

     <log_format>eventlog</log_format>

to get agent.srcip in Wazuh. Trying an attack from Kali I surely see lots of 18130 and 40111 events in the dashboard (as opposed to 60122 prior to the change of log_format) as well as the correct agent.srcip from the Kali attacker.

On the managers I have this in osscd.conf

 <command>
    <name>win_route-null</name>
    <executable>route-null.exe</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

and

 <active-response>
      <command>win_route-null</command>
      <location>local</location>
      <rules_id>60122,60204,18130,40111</rules_id>
  </active-response> 

 

Can't seem to get this config to create a new firewall rule on Windows, so probably some rookie mistake? I am using similar rules on Linux agents (for ssh) with IDs 5710, 5712 and 5758 , and they all work like a charm and actively adding firewall rules.  Anybody successful implementing this on Windows and willing to share a working config?

Thanks! :-)

[Sebastian Dario Bustos]

Hello Oliver,

Thank you for using Wazuh!!!
I don't see any errors on your shared manager's config, can you please provide the active-response configuration on your agent?  It should show you a block similar to this:

  <active-response>
    <disabled>no</disabled>
    <ca_store>wpk_root.pem</ca_store>
    <ca_verification>yes</ca_verification>
  </active-response>

Also please make sure you have the default script on the agent's location: C:\Program Files (x86)\ossec-agent\active-response\bin

Let me know.

Regards.

[Oliver Olsen]

Hi Sebastian,

My agent have this regarding active response

  <!-- Active response -->

  <active-response>
    <disabled>no</disabled>
    <ca_store>wpk_root.pem</ca_store>
    <ca_verification>yes</ca_verification>
  </active-response>

Seems identical to yours?

I have netsh.exe, restart-wazuh.exe and route-null.exe in C:\Program Files (x86)\ossec-agent\active-response\bin on the Windows 2022 server

When I check master manager it also appears that this Active Response should be available ?

root@waz-srv01:/var/ossec/bin/# ./agent_control -L

Wazuh agent_control. Available active responses:

   Response name: firewall-drop180, command: firewall-drop
   Response name: firewall-drop180, command: firewall-drop
   Response name: firewall-drop180, command: firewall-drop
   Response name: win_route-null0, command: route-null.exe

Regards,

Oliver

[Sebastian Dario Bustos]

Hi Oliver,

I'm sorry, this was a typo, correct?

" On the Windows 2022 agent I've changed the osscd.conf to use"

You meant the filename ossec.conf in your agent's config folder ( C:\Program Files (x86)\ossec-agent\ossec.conf).

About the log format, you should still get the logs with the eventchannel format, and in case you need some rule to catch it you can modify it or create a sibling rule with your desired field.

Here is the reference for how to get events from Windows.
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/configuration.html

Let me know.

Regards.