Execute the active response from the API:Ĭurl -k -X PUT " &wait_for_complete=true" -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d ""ĪGENT_ID: List of agent IDs (separated by comma), all agents selected by default if not specified Configure the active response in the manager Add the script of the active response in the agentģ. I’ve done it for Wazuh version 4.2.x, since these versions use binaries, I’ll attach the binary.Ģ. Create a custom active response that just deletes an IP from iptables. To do this you should follow the next steps:ġ. You could run an active response from the manager using the API. Sorry for the late response, it took some time to find a solution to this. You could run it on your agent, or create a custom active response to run it for you from the manager.įinally, you can add the option in the global section nf of the manager with IP addresses that should never be blocked by the active response. For example, if you are using firewall-drop, you will need to run the command that deletes the IP from iptables. If you don’t have a timeout set in your active response, according to the active response you are using the action to unblock the IP could be different. Or, to restart all of them: /var/ossec/bin/agent_control -R -a There are two options to restart the agents from the manager:Ĭurl -k -X PUT " -H "Authorization: Bearer $TOKEN" In that case it it necessary to clear the orphaned null route with a route delete N.N.N.N command where N.N.N.N is the null routed IP. System reboot) while an active response null routing block is in place, has the undesirable effect of making the block permanent such that it will not be cleared automatically. On Windows systems if the service is restarted externally (i.e. If your active response has the option, when the Wazuh agent is restarted on a given system, the intended behavior to cancel any stateful active responses that have not yet timed out.
0 Comments
Leave a Reply. |