Active Response using the Wazuh API

This blog post focuses mainly on the syntax when using the Wazuh API for active response with custom and out-of-the-box Active response scripts.

Use Case 1: Blocking an IP using the default firewall drop Active Response

By default, the command blocks are defined in the Wazuh manager and no actions are required.

• API query: using ! to refer to the script name instead of a command name

PUT /active-response?agents_list=014
{
  "command": "!firewall-drop",
  "alert": {
    "data": {
      "srcip": "1.1.5.5"
    }
  }
}

• Result: Checking IPtables the endpoint where we can see the IP 1.1.5.5 is blocked.

 
[root@vagrant bin]# tail -n 10 /var/ossec/logs/active-responses.log
2023/10/01 16:20:56 active-response/bin/firewall-drop: Starting
2023/10/01 16:20:56 active-response/bin/firewall-drop: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"data":{"srcip":"1.1.5.5"}},"program":"active-response/bin/firewall-drop"}}

2023/10/01 16:20:56 active-response/bin/firewall-drop: {"version":1,"origin":{"name":"firewall-drop","module":"active-response"},"command":"check_keys","parameters":{"keys":["1.1.5.5"]}}
2023/10/01 16:20:56 active-response/bin/firewall-drop: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"continue","parameters":{"extra_args":[],"alert":{"data":{"srcip":"1.1.5.5"}},"program":"active-response/bin/firewall-drop"}}

2023/10/01 16:20:56 active-response/bin/firewall-drop: Ended
[root@vagrant vagrant]# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  1.1.5.5              anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  1.1.5.5              anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Use Case 2: Flush the IpTables firewall rules using a custom Active Response

• Place the script below in the monitored endpoint under /var/ossec/active-response/bin/flushIpTables ;

#!/bin/sh

LOG_FILE="/var/ossec/logs/active-responses.log"
echo "$(date '+%Y/%m/%d %H:%M:%S') $0 Starting" >> ${LOG_FILE}
iptables --flush
echo "$(date '+%Y/%m/%d %H:%M:%S') $0 Ended" >> ${LOG_FILE}
exit 0

• Assign the proper permissions and ownership to the script:

sudo chmod 750 /var/ossec/active-response/bin/flushIpTables
sudo chown root:wazuh /var/ossec/active-response/bin/flushIpTables

• Add the command definition in the Wazuh manager:

  <command>
    <name>flushIpTables</name>
    <executable>flushIpTables</executable>
  </command>

• API query: You must set the custom argument to true for custom AR

PUT /active-response?agents_list=014
{
  "command": "!flushIpTables",
   "custom": true
}

• Result:

[root@vagrant bin]# tail -n 2 /var/ossec/logs/active-responses.log 
2023/10/01 16:21:03 active-response/bin/flushIpTables Starting
2023/10/01 16:21:03 active-response/bin/flushIpTables Ended
[root@vagrant bin]# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  

Resources:

• https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html

• https://documentation.wazuh.com/current/user-manual/capabilities/active-response/ar-use-cases/index.html

• https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.active_response_controller.run_command