AR - List blocked IP addresses

56 views
Skip to first unread message

jcc...@gmail.com

unread,
Nov 29, 2022, 10:14:51 AM11/29/22
to Wazuh mailing list
Hello,

Is there a way (API or CLI) to list the currently blocked IP addresses by the active response?

Natassia M Stelmaszek

unread,
Nov 29, 2022, 11:51:09 AM11/29/22
to Wazuh mailing list
On a Redhat/CentOS/Rocky system you can use sudo iptables --list -n on the agent machine.

Natassia

Matias Pereyra

unread,
Nov 30, 2022, 10:26:17 PM11/30/22
to Wazuh mailing list
Hi!

There is more information about this topic in the documentation section: Detect and react to a Shellshock attack. There you have an example of an active response used for IP blocking.

As Natassia said, the command iptables --list -n can show you in the agent what is the current list of IP addresses in its firewall drop list.

But you can't see this information from your manager for every agent. One workaround could be configuring a remote command and executing it. See Command monitoring for more details.

Regards.

Julio Cesar

unread,
Dec 1, 2022, 5:53:58 AM12/1/22
to Matias Pereyra, Wazuh mailing list
Hello Matias,

Thank you!

Thanks to Natassia too!

Any plans to implement this on the Wazuh's API?

Regards,

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/zcdLEcV4aNc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8b457458-8e24-4525-9c62-95df529818bcn%40googlegroups.com.

Matias Pereyra

unread,
Dec 2, 2022, 10:25:04 AM12/2/22
to Wazuh mailing list
Hi again!

Feel free to open an issue in the Wazuh repository to request this feature: New issue.
The team will analyze this as soon as possible.

Regards.
Reply all
Reply to author
Forward
0 new messages