Active Response Sort of Working...
140 views
Skip to first unread message
Natassia M Stelmaszek
Nov 4, 2022, 2:54:49 PM11/4/22
to Wazuh mailing list
Sometimes it seems like Active Response is working, other times not so much. In the most recent case, I setup (on the manager):
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>31151</rules_id>
<timeout>60</timeout>
</active-response>
What I expect is that once it triggers, the source IP should be blocked for 60 seconds but what I'm seeing in the log is:
with hits coming in fractions of a second apart. Is there some sort of time lag built into the system? Maybe a communication problem between the server and the agent?
Natassia
Francisco Tuduri
Nov 6, 2022, 6:01:31 PM11/6/22
to Wazuh mailing list
Hello Natassia!
Does the expected AR trigger eventually?
A few requests to troubleshoot this problem.
Could you please check if AR is configured correctly on the manager? Please, execute this command: /ossec/bin/agent_control -L
You should see the firewall-drop command listed there.
Could you check if you have any AR alerts (rule id 607)?
If you don't have any AR alerts can you check the AR log on the agent? it is located at /var/ossec/logs/active-responses.log
Regards!
Does the expected AR trigger eventually?
A few requests to troubleshoot this problem.
Could you please check if AR is configured correctly on the manager? Please, execute this command: /ossec/bin/agent_control -L
You should see the firewall-drop command listed there.
Could you check if you have any AR alerts (rule id 607)?
If you don't have any AR alerts can you check the AR log on the agent? it is located at /var/ossec/logs/active-responses.log
Regards!
Natassia S
Nov 7, 2022, 12:49:15 PM11/7/22
to Francisco Tuduri, Wazuh mailing list
Francisco,
The agent_control -L gave me:
Wazuh agent_control. Available active responses:
Response name: firewall-drop1800, command: firewall-drop
Response name: firewall-drop30, command: firewall-drop
Response name: firewall-drop60, command: firewall-drop
Response name: firewall-drop60, command: firewall-drop
which matches the four AR's that I have configured.
The AR never triggers for the 31151.
I don't see any 607's but I have plenty of 651 "Host Blocked by firewall-drop Active Response" entries, but none of them were triggered after a 31151 "Multiple web server 400 error codes from same source ip."
On closer inspection I see that for the suspect IP, there were two 5710's "Attempt to login using a non-existent user" followed rapidly by two 651 blocks. Immediately after those blocks were released I began getting 31101 "Web server 400 error code." at a rate of about 100/second. After the first 11 of those, it logged the first 31151, followed by 13 more 31101's and the next 31151. The time between the first and second 31151's was just over 2 seconds. The pattern repeats but with some variation in the number of 31101's and the time between 31151's varying around 1 - 4 seconds.
The full incident, with the same error code associated with the same src.ip continued for over 10 minutes and the system never responded with a firewall-drop for the 31151, there were however, several drops of other IP's in response to sshd login failures.
Any ideas?
Natassia
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/fdt1H4OrcbE/unsubscribe [groups.google.com].
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/86d3e3de-a9ea-4fcf-94ad-64d0a7f4fc7bn%40googlegroups.com [groups.google.com].
Get some rest, take two Tylenol, drink plenty of fluids and reboot often.
Francisco Tuduri
Nov 7, 2022, 5:35:30 PM11/7/22
to Wazuh mailing list
Hello Natassia!
Let me ask you some basic information first.
What are the Wazuh versions of the manager and the agents?
One last thing, could you share a full sample of the alerts of rule 31151? (Again carefully replacing any sensitive data)
Thanks a lot!
Regards!
Let me ask you some basic information first.
What are the Wazuh versions of the manager and the agents?
Is this all happening on the same agent? I mean, when the AR fires on sshd login failures and when it doesn't on rule 31151 is all this on the same agent?
Also...
Can you access log at /var/ossec/logs/active-responses.log of that agent? Could you share its content (obsfucating any sensitive data)?One last thing, could you share a full sample of the alerts of rule 31151? (Again carefully replacing any sensitive data)
Thanks a lot!
Regards!
Natassia S
Nov 8, 2022, 9:56:07 AM11/8/22
to Francisco Tuduri, Wazuh mailing list
Francisco,
My apologies. While looking up the information that you requested I stumbled across something else. The machine running the agent had previously been attached to an old OSSEC server which experienced a hardware failure. I realized that the old ossec-agent was still enabled and that a copy of ossec-execd was still running even though the agent service itself was in a "failed" state.
I've disabled the old service and done a chmod -x on the old binaries. When I get a chance, I'll do a complete removal and install a fresh copy of the Wazuh agent. I will monitor the new installation and let you know if I see a repeat of the strange behaviour. Thank you for your time and your help which led me to this discovery.
Natassia
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/61b18c05-e5d0-4309-8c10-72774a9777d5n%40googlegroups.com [groups.google.com].
Francisco Tuduri
Nov 8, 2022, 10:45:31 AM11/8/22
to Wazuh mailing list
No problem, Natassia!
Don't hesitate to ask for assistance if you encounter any problem.
Have a nice day!
Reply all
Reply to author
Forward
0 new messages