Hello John, Our documentation has a comprehensive guide about the capabilities of active response and how to configure it,
https://documentation.wazuh.com/3.13/user-manual/capabilities/active-response/index.html Also, we periodically release blog posts about different topics, some of them may be of your interest, for example in this one we explain how to integrate Wazuh with Yara using active response: https://wazuh.com/blog/how-to-integrate-yara-with-wazuh/ If you have any more questions about active-response or find any problem configuring it do not hesitate to contact us. Regards, Daniel Folch On Thursday, September 24, 2020 at 1:35:12 PM UTC+2, John Gomez wrote: > > Is there any deep dive on active response or a collection of use cases as > to how people are using it? > > Just seems to be such a cool capability of OSSEC that is under utilized. > > > > Sent from my T-Mobile 4G LTE Device > > > > -------- Original message -------- > From: Daniel Folch <danie...@wazuh.com <javascript:>> > Date: 9/23/20 7:21 AM (GMT-05:00) > To: ossec-list <ossec...@googlegroups.com <javascript:>> > Subject: [EXTERNAL MSG:][ossec-list] Re: ACTIVE-RESPONSE NOT WORKING > > WARNING: This email originated from outside of Sensato. Do not click > links or open attachments unless you verify by phone with the sender. > > Hello, > > First, let us start with the active response configuration of the manager > and agent, the configuration you shared should be used on the manager side, > and for the agent you just need to set it like this: > > <active-response> > <disabled>no</disabled> > <ca_store>/var/ossec/etc/wpk_root.pem</ca_store> > <ca_verification>yes</ca_verification> > </active-response> > > As a side note, the rule 5720 is triggered when the rule 5716 activates 8 > times in a short period of time, so having both of them in the active > response is not necessary. > > Hydra tests the passwords in the list sequentially and it is really fast > so if your list only contains few passwords it may be possible for hydra to > test the correct password from the list before active response can shut > down the connection form the IP, this should not happen in a real brute > force attack as the list of passwords would be long enough for active > response to act in time. A possibility to minimize this phenomenom would be > to reduce the number of attempts needed before shutting down. > > Just to verify could you share the length of the list you are using for > this test, and if possible could you try running Hydra like this to verify > that active response is working as intended: > > hydra -l agent -x 1:5:aA1 [AGENT_IP] ssh > > This will try to test all combinations of lowercase characters, uppercase > characters, and numbers with a length between 1 and 5, so it should not be > able to find your password before active response triggers. > > Regards, > Daniel Folch > > On Tuesday, September 22, 2020 at 1:07:58 PM UTC+2, conm...@gmail.com > wrote: >> >> Hi everybody >> I have seen an article about configuring active-response to block SSH >> bruteforce on https://wazuh.com/blog/blocking-attacks-active-response/ >> >> I have configured the direction and added some ssh related rules hoping >> that it will prevent the attack, but it doesn't work. >> I configured the following in ossec.conf: >> <command> >> <name> firewall-drop </name> >> <executable> firewall-drop.sh </executable> >> <expect> srcip </expect> >> <timeout_allowed> yes </timeout_allowed> >> </command> >> >> <active-response> >> <command> firewall-drop </command> >> <location> local </location> >> <rules_id> 5712,5716,5720 </rules_id> >> <timeout> 1800 </timeout> >> </active-response> >> >> I still find the password to login after bruteforce, I use the following >> command to attack: >> hydra -l agent -P /home/attacker/Desktop/list.txt 192.168.10.2 -t 4 ssh >> >> Is there any way the active-response can prevent this >> thanks everyone >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec...@googlegroups.com <javascript:>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/fc270a22-8c00-4094-a5b5-fed439442598o%40googlegroups.com > > <https://groups.google.com/d/msgid/ossec-list/fc270a22-8c00-4094-a5b5-fed439442598o%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/f966a44a-fc3c-41ce-b0c8-b837b74b5d87o%40googlegroups.com.
