Active response on server configuration showing disabled
40 views
Skip to first unread message
Arthur Henrique Oliveira Aparício
Apr 12, 2024, 8:23:20 AMApr 12
to Wazuh | Mailing List
Hello everyone, I have a question that is bothering me. With some logs appearing, we verified the need to create an active response for some rules, but for some reason we were unable to do so (at least, it doesn't seem like it). Below is the configuration created:
<command>
<name>firewalld-drop</name>
<executable>firewalld-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>
<name>firewalld-drop</name>
<executable>firewalld-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>firewalld-drop</command>
<location>local</location>
<level>6</level>
<rules_group>31106,31151,31516,31168,31104</rules_group>
<timeout>600</timeout>
</active-response>
However, in the settings that you can see in the images, apparently it is disabled (and just as strange, the commands appear in one tab, but not in the other):
So, I think that after searching, I still haven't found the answer (in fact, I haven't even found a topic about it, maybe I used the wrong words). can you help me? Thank you very much in advance
<command>firewalld-drop</command>
<location>local</location>
<level>6</level>
<rules_group>31106,31151,31516,31168,31104</rules_group>
<timeout>600</timeout>
</active-response>
However, in the settings that you can see in the images, apparently it is disabled (and just as strange, the commands appear in one tab, but not in the other):
So, I think that after searching, I still haven't found the answer (in fact, I haven't even found a topic about it, maybe I used the wrong words). can you help me? Thank you very much in advance
Francisco Tuduri
Apr 15, 2024, 9:39:46 AMApr 15
to Wazuh | Mailing List
Hello Arthur!
I will check this out. A few things to consider
Firstly, could you inform me of the Wazuh version you are currently using?
Regarding your AR configuration snippet I see that you have:
<rules_group>31106,31151,31516,31168,31104</rules_group>
I noticed these are rules ids. For correct implementation, it should be structured as follows:
<disabled>no</disabled>
<command>firewalld-drop</command>
<location>local</location>
<level>6</level>
<command>firewalld-drop</command>
<location>local</location>
<level>6</level>
<rules_id>31106,31151,31516,31168,31104</rules_id>
<timeout>600</timeout>
</active-response>
<timeout>600</timeout>
</active-response>
Could you please try configuring it again with this corrected format?
Does the issue of it appearing as disabled persist after this adjustment? And furthermore, is the Active Response functioning as expected?
Regards!
Arthur Henrique Oliveira Aparício
Apr 15, 2024, 10:59:31 AMApr 15
to Wazuh | Mailing List
Hello!
Firstly, thank you for the response. My manager version is 4.7.3, although some agents are still in the process of upgrading. I tested the configuration (I think that in the middle of choosing the parameters I didn't even notice the structure). The active response started to work (not only does it work but it already has logs of its action, including on an agent that needs to be upgraded, so no failures for now). Strangely, in the settings section, the status still appears as disabled, but it appears to be just a visual error perhaps?
Well, now that everything is working, thanks again for your response and for solving my problem.
Regards!
Francisco Tuduri
Apr 17, 2024, 8:18:22 AMApr 17
to Wazuh | Mailing List
Hi Arthur!
Glad to know that your Active Response is working.
Regarding the fact that it appears as 'disabled' in the settings section when actually it is not, it is indeed just a display error. And we have an issue to address that soon: https://github.com/wazuh/wazuh/issues/21585
Regards!
Reply all
Reply to author
Forward
0 new messages