Getting values from a rule into CDB list

[JK]

Hi All,

I am faced with a situation where I need to populate the CDB list with IP addresses when I suspect them to be malicious. I have certain conditions to suspect an IP address to be malicious. When the conditions are met certain rule will be fired. That's when I need to add the IP address to CDB list taking it from the rule. Is it possible? If yes how to do that? Do I need any script to achieve this? Any Idea?

Thanks

Jayakrishnan

[Jonathan Martín Valera]

Hi,

Yes, it is possible. You can configure an active response so that when the rule that detects suspicious IPs is activated, it activates it and this causes the IP address to be added to the CDB list.

Here is an example:

Imagine I have the following event:

Jul 12 16:10:26 cloud sshd[14486]: Bad protocol version identification 'GET http://m.search.yahoo.com/ HTTP/1.1' from 2.2.2.2 port 3533

which triggers the 5701 rule of level 8. I want the IP detected as srcip in the decoding phase to be automatically added to the CDB list (in this case 2.2.2.2 would be added). To do this, first of all I am going to create a custom script that will be executed automatically with an active response every time the rule 5701 is triggered.

Create the script and assign the necessary permissions for Wazuh to use it:

sudo touch /var/ossec/active-response/bin/custom-script.py sudo chmod 750 /var/ossec/active-response/bin/custom-script.py sudo chown root:wazuh /var/ossec/active-response/bin/custom-script.py

The content of the script is as follows:

#!/var/ossec/framework/python/bin/python3 # Copyright (C) 2015-2023, Wazuh Inc. # All rights reserved. # This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation. import json import sys CDB_LIST = '/var/ossec/etc/lists/custom-list' def main(): # Read the alert data from STDIN input_str = "" for line in sys.stdin: input_str = line break alert_data = json.loads(input_str) srcip = alert_data['parameters']['alert']['data']['srcip'] # Add the srcip to the CDB list with open(CDB_LIST, 'a') as f: f.write(f"{srcip}:\n") if __name__ == '__main__': main()

Note: Edit the path the CDB_LIST with your list

This script picks up the srcip value from the alert and will add it to your list automatically.

Once we have the script created, we are going to configure the wazuh-manager so that every time the 5701 rule is triggered, this script is executed. To do this, we add the following blocks in the file /var/ossec/etc/ossec.conf:

<command> <name>add-ip-cdb-list</name> <executable>custom-script.py</executable> </command> <active-response> <disabled>no</disabled> <command>add-ip-cdb-list</command> <location>local</location> <rules_id>5701</rules_id> </active-response>

Restart the wazuh-manager to apply the changes:

systemctl restart wazuh-manager

Now, every time the 5701 rule is triggered the IP will be added to the CDB list.

I send you a video with a demonstration. I hope it will help you.

Best regards.

​

[Jayakrishnan]

Thanks a lot Jonathan Martín Valera for such a detailed answer. I will get back to you after trying this

[Nepolean]

Hi Jonathan. I tried running your script. The problem is my active response is not running. I tried giving the permissions you said, put it in the bin folder etc.. Then I tried another script which will write a number to a txt file to check whether active response is working or not. It's also not working. Anyone knows what to do?