This is the documentation for Wazuh 2.1. Check out the docs for the latest version of Wazuh!

Configuration

  1. Basic usage
  2. Windows automatic remediation
  3. Block an IP with PF
  4. Add an IP to the iptables deny list
  5. Active response for a specified period of time
  6. Active response that will not be undone

Basic usage

Active response is configured in ossec.conf, within the Active Response and Command sections.

In this example, a command with the name “restart-ossec” is configured to use the “restart-ossec.sh” script with no data element. The Active response is configured to initiate the “restart-ossec” command on the local host when the rule with ID 10005 fires. This is a Stateless response as no timeout parameter is defined.

Command:

<command>
  <name>restart-ossec</name>
  <executable>restart-ossec.sh</executable>
  <expect></expect>
</command>

Active response:

<active-response>
  <command>restart-ossec</command>
  <location>local</location>
  <rules_id>10005</rules_id>
</active-response>

Windows automatic remediation

In this example, a command with the name “win_rout-null” is configured to use the “route-null.cmd” script using the data element “srcip”. The Active response is configured to initiate the “win_rout-null” command on the local host when the rule has a higher alert level than 7. This is a Stateful response with a timeout set at 900 seconds.

Command:

<command>
  <name>win_route-null</name>
  <executable>route-null.cmd</executable>
  <expect>srcip</expect>
  <timeout_allowed>yes</timeout_allowed>
</command>

Active response:

<active‐response>
  <command>win_route‐null</command>
  <location>local</location>
  <level>8</level>
  <timeout>900</timeout>
</active‐response>

Block an IP with PF

In this example, a command with the name “pf-block” is configured to use the “pf.sh” script using the data element “scrip”. The Active response is configured to initiate the “pf-block” command on agent “001” when a rule in either the “authentificaiton_failed” or “authentication_failures” rule group fires. This is a Stateless response as no timeout parameter is defined.

Command:

<command>
  <name>pf-block</name>
  <executable>pf.sh</executable>
  <expect>srcip</expect>
</command>

Active response:

<active-response>
  <command>pf-block</command>
  <location>defined-agent</location>
  <agent_id>001</agent_id>
  <rules_group>authentication_failed,authentication_failures</rules_group>
</active-response>

Add an IP to the iptables deny list

In this example, a command with the name “firewall-drop” is configured to use the “firewall-drop.sh” script using the data element “scrip”. The Active response is configured to initiate the “firewall-block” command on all systems when a rule in either the “authentificaiton_failed” or “authentication_failures” rule group fires. This is a Stateful response with a timeout of 700 seconds. The repeated offenders parameter increases the timeout period for each subsequent offence by a specific IP address.

Note: This parameter is specified in minutes rather than seconds.

Command:

<command>
  <name>firewall-drop</command>
  <executable>firewall-drop.sh</executable>
  <expect>srcip</expect>
</command>

Active response:

<active-response>
  <command>firewall-block</command>
  <location>all</location>
  <rules_group>authentication_failed,authentication_failures</rules_group>
  <timeout>700</timeout>
  <repeated_offenders>30,60,120</repeated_offenders>
</active-response>

Active response for a specified period of time

The action of a stateful response continues for a specified period of time.

In this example, a command with the name “host-deny” is configured to use the “host-deny.sh” script using the data element “scrip”. The Active response is configured to initiate the “host-deny” command on the local host when a rule with a higher alert level than 6 is fired.

Command:

<command>
  <name>host-deny</name>
  <executable>host-deny.sh</executable>
  <expect>srcip</expect>
  <timeout_allowed>yes</timeout_allowed>
</command>

Active response:

<active-response>
  <command>host-deny</command>
  <location>local</location>
  <level>7</level>
  <timeout>600</timeout>
</active-response>

More info: command

Active response that will not be undone

The action of a stateless command is a one-time action that will not be undone.

In this example, a command with the name “mail-test” is configured to use the “mail-test.sh” script with no data element. The Active response is configured to initiate the “mail-test” command on the server when the rule with ID 1002 fires.

Command:

<command>
  <name>mail-test</name>
  <executable>mail-test.sh</executable>
  <timeout_allowed>no</timeout_allowed>
  <expect />
</command>

Active response:

<active-response>
    <command>mail-test</command>
    <location>server</location>
    <rules_id>1002</rules_id>
 </active-response>