Help with active response curl examples

[Dhananjay Saraf]

Hi Team,

I am looking for an example curl commands and explanations on how to evoke the active response API.

Particularly I am looking for  how to block IP in IPtables on Linux using active response API.

Any pointers will be helpful.

Thanks in advance

Wazuh version : 4.2.4

Best Regards,

Dhananjay

[Hanes Nahuel Sciarrone]

Hi git.medhanu

I hope you are well. Thank you for using Wazuh and sharing your question with the community. If you want to block a specific IP there is a particular script that Wazuh has made for this purpose, I leave you the specific section of the documentation that talks about this, and there is an example of that. Please keep in mind that if you need to run a specific active response binary or script you must associate some rule that triggers the script. For example, in the link, I send you the rules within the "authentication_failed" or "authentication_fails" group triggers the active response script. Also, you can run the active response script for a particular rule only when you set the rules_id tag in the ossec.conf.

In addition, there is an API command that allows executing an active response command or script, I leave the link to the explanation command.

I hope you find the information useful.

Best regards

Hanes

[Dhananjay Saraf]

Hi Team,

I have searched through the Slack channel and got the info I needed.

A beginner to advance tutorial and guidance for active responses  will help to create more complex responses. 

Thanks in advance.

Best Regards,

Dhananjay

[Dhananjay Saraf]

Thank you so much Hanes!

[Hanes Nahuel Sciarrone]

Hi Dhananjay

Excellent news, well I hope you can do all that you need with the Wazuh project and if you have questions please ask in the community channel to receive the answers to your questions. Have a nice week

Best regards

Hanes