AR - List blocked IP addresses

[jcc...@gmail.com]

Hello,

Is there a way (API or CLI) to list the currently blocked IP addresses by the active response?

[Natassia M Stelmaszek]

On a Redhat/CentOS/Rocky system you can use sudo iptables --list -n on the agent machine.

Natassia

[Matias Pereyra]

Hi!

There is more information about this topic in the documentation section: Detect and react to a Shellshock attack. There you have an example of an active response used for IP blocking.

As Natassia said, the command iptables --list -n can show you in the agent what is the current list of IP addresses in its firewall drop list.

But you can't see this information from your manager for every agent. One workaround could be configuring a remote command and executing it. See Command monitoring for more details.

Regards.

[Julio Cesar]

Hello Matias,

Thank you!

Thanks to Natassia too!

Any plans to implement this on the Wazuh's API?

Regards,

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/zcdLEcV4aNc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8b457458-8e24-4525-9c62-95df529818bcn%40googlegroups.com.

[Matias Pereyra]

Hi again!

Feel free to open an issue in the Wazuh repository to request this feature: New issue.
The team will analyze this as soon as possible.

Regards.