XML section name
In the active response configuration section, an existing command is bound to one or more rules or rule types along with additional criteria for when to execute the command. There is no limit to the number of active responses that can be used, however, each active response must be configured in its own separate
Toggles the active-response capability on and off. Setting this option to
yes on an agent will disable active-response for that agent only, while setting it in the manager’s
ossec.conf file will disable active-response on the manager and all agents.
This option is available on server, local, and agent installations.
|Allowed values||yes, no|
Links the active-response to the command.
|Allowed values||Any defined active response command name|
Indicates which system(s) the command should be executed on.
|Allowed values||local||This runs the command on the agent that generated the event.|
|server||This runs the command on the Wazuh manager.|
|defined-agent||This runs the command on a specific agent identified by agent_id.|
|all||This runs the command on all agents. Use with caution.|
If the application that interfaces with your edge firewall runs on one of your agents, you might have a firewall-block-edge command that runs a script on that agent to blacklist an offending IP on the edge firewall.
Specifies the ID of the agent on which to execute the active response command (used when defined-agent is set).
|Allowed values||Any agent id number, as long as defined-agent has been specified as the location.|
Defines a minimum severity level required for the command to be executed.
|Allowed values||Any level from 1 to 16|
Defines the rule group that a rule must belong to one for the command to be executed.
|Allowed values||Any rule group is allowed. Multiple groups should be separated with a pipe character (“|”).|
All groups must end with a comma.
Limits the command execution to only when one or more listed rules fire.
|Allowed values||Any rule identification. Multiple IDs can be specified if separated by a comma.|
rules_id together, the active response will be triggered always that any rule matches with one of these options. In other words,
they are accumulative options, not restrictive.
Specifies how long in seconds before the reverse command is executed. When
repeated_offenders is used,
timeout only applies to the first offense.
|Allowed values||A positive number (seconds)|
Sets timeouts in minutes for repeat offenders. This is a comma-separated list of increasing timeouts that can contain a maximum of 5 entries.
|Allowed values||A positive number (minutes)|
This option must be configured directly in the ossec.conf file of the agent, even when using a manager/agent setup with centralized configuration of other settings via agent.conf. Apart from that, it has to be defined in the upper
<active-response> section found in the configuration file.
Indicates the path to the root CA certificate. The agent needs the certificate with which the WPK was signed in order to be updated.
|Allowed values||Path to root CA certificate|
This option enables or disables the WPK validation using the root CA certificate. If this parameter is set to
no the agent will accept any WPK package coming from the manager.
|Allowed values||yes, no|
<!-- On the manager side --> <active-response> <disabled>no</disabled> <command>host-deny</command> <location>defined-agent</location> <agent_id>032</agent_id> <level>10</level> <rules_group>sshd,|pci_dss_11.4,</rules_group> <timeout>1</timeout> </active-response> <!-- On the agent side --> <active-response> <disabled>no</disabled> <ca_store>/var/ossec/etc/wpk_root.pem</ca_store> <ca_verification>yes</ca_verification> <repeated_offenders>1,5,10</repeated_offenders> </active-response>