This is the documentation for Wazuh 3.3. Check out the docs for the latest version of Wazuh!

Configuration

  1. Basic usage
  2. Windows automatic remediation
  3. Block an IP with PF
  4. Add an IP to the iptables deny list
  5. Active response for a specified period of time
  6. Active response that will not be undone

Basic usage

An active response is configured in the ossec.conf file in the Active Response and Command sections.

In this example, the restart-ossec command is configured to use the restart-ossec.sh script with no data element. The active response is configured to initiate the restart-ossec command on the local host when the rule with ID 10005 fires. This is a Stateless response as no timeout parameter is defined.

Command:

<command>
  <name>restart-ossec</name>
  <executable>restart-ossec.sh</executable>
  <expect></expect>
</command>

Active response:

<active-response>
  <command>restart-ossec</command>
  <location>local</location>
  <rules_id>10005</rules_id>
</active-response>

Windows automatic remediation

In this example, the win_rout-null command is configured to use the route-null.cmd script using the data element srcip. The active response is configured to initiate the win_rout-null command on the local host when the rule has a higher alert level than 7. This is a Stateful response with a timeout set at 900 seconds.

Command:

<command>
  <name>win_route-null</name>
  <executable>route-null.cmd</executable>
  <expect>srcip</expect>
  <timeout_allowed>yes</timeout_allowed>
</command>

Active response:

<active-response>
  <command>win_route-null</command>
  <location>local</location>
  <level>8</level>
  <timeout>900</timeout>
</active-response>

Block an IP with PF

In this example, the pf-block command is configured to use the pf.sh script using the data element scrip. The active response is configured to initiate the pf-block command on agent 001 when a rule in either the “authentication_failed” or “authentication_failures” rule group fires. This is a Stateless response as no timeout parameter is defined.

Command:

<command>
  <name>pf-block</name>
  <executable>pf.sh</executable>
  <expect>srcip</expect>
</command>

Active response:

<active-response>
  <command>pf-block</command>
  <location>defined-agent</location>
  <agent_id>001</agent_id>
  <rules_group>authentication_failed,authentication_failures</rules_group>
</active-response>

Add an IP to the iptables deny list

In this example, the firewall-drop command is configured to use the firewall-drop.sh script using the data element scrip. The active response is configured to initiate the firewall-block command on all systems when a rule in either the “authentication_failed” or “authentication_failures” rule group fires. This is a Stateful response with a timeout of 700 seconds. The <repeated_offenders> tag increases the timeout period for each subsequent offense by a specific IP address.

Note

This parameter is specified in minutes rather than seconds.

Command:

<command>
  <name>firewall-drop</command>
  <executable>firewall-drop.sh</executable>
  <expect>srcip</expect>
</command>

Active response:

<active-response>
  <command>firewall-block</command>
  <location>all</location>
  <rules_group>authentication_failed,authentication_failures</rules_group>
  <timeout>700</timeout>
  <repeated_offenders>30,60,120</repeated_offenders>
</active-response>

Active response for a specified period of time

The action of a stateful response continues for a specified period of time.

In this example, the host-deny command is configured to use the host-deny.sh script using the data element scrip. The active response is configured to initiate the host-deny command on the local host when a rule with a higher alert level than 6 is fired.

Command:

<command>
  <name>host-deny</name>
  <executable>host-deny.sh</executable>
  <expect>srcip</expect>
  <timeout_allowed>yes</timeout_allowed>
</command>

Active response:

<active-response>
  <command>host-deny</command>
  <location>local</location>
  <level>7</level>
  <timeout>600</timeout>
</active-response>

More information: command

Active response that will not be undone

The action of a stateless command is a one-time action that will not be undone.

In this example, the mail-test command is configured to use the mail-test.sh script with no data element. The active response is configured to initiate the mail-test command on the server when the rule with ID 1002 fires.

Command:

<command>
  <name>mail-test</name>
  <executable>mail-test.sh</executable>
  <timeout_allowed>no</timeout_allowed>
  <expect></expect>
</command>

Active response:

<active-response>
    <command>mail-test</command>
    <location>server</location>
    <rules_id>1002</rules_id>
 </active-response>