Using CDB lists for Active Response

[Childe Robertson]

Hello, I'm curious if it is possible to use a CDB list for Active Response. I am making an active response to block IP addresses (firewall-drop) that trigger off from a set of rule IDs by specifying them on <rules_id> </rules_id>.

It got me thinking it would be easier to manage this if instead of explicitly editing the field in the config file whenever I need to add or remove a rule ID is if I could instead state said rule IDs in a CDB list where the active response script could automatically update or read from.

[Daniel Sappa]

Hi Childe Robertson!

Yes, it is possible to use a CDB (Constant DataBase) list for Active Response in Wazuh. CDB lists are useful for maintaining a dynamic list of items that can be read by various components of Wazuh, including Active Responses, here is a link that may be useful.

Detecting and responding to malicious files using CDB lists and active response

I hope I help you.