Do you want to have an open source Active-Response system capable of acting simultaneously on all your devices? -> Wazuh Active Response...Oh mamma!
Hi friends,
here we are again with another music recommendation, hope you like it, “Primal Scream – Rocks”. It's time to shake it up!!!
First of all, I usually include some humorous comments in the posts, it's just to make them more entertaining, I like them, they are not very bold (at least in my head), please nobody be offended.
In this new post we will explore a basic, but essential, functionality of any XRD, the Active Response capability. If you have read my previous post, check it here if you want, you will assume that I will talk about Wazuh again here. If you do not want read it here is a summary of what Wazuh is: “Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments.” Check the links in the documentation section.
My intention was to write something describing it, but it is very well explained in the documentation: “Active responses perform various countermeasures to address active threats, such as blocking access to an agent from the threat source when certain criteria are met.
Active responses execute a script in response to the triggering of specific alerts based on the alert level or rule group. Any number of scripts can be initiated in response to a trigger, however, these responses should be considered carefully. Poor implementation of rules and responses may increase the vulnerability of the system.”
There are some commands predefined in Wazuh ready to be used, it’s great, but what's most interesting is that you can develop your custom responses. A custom active response is a personalized script configured to be executed when a specific alert, alert level, or rule group is triggered. These custom responses can be created in any programming language and require a defined command to initiate the script in response to a trigger and an active response configuration that determines when and where the command is going to be executed. Active responses can be stateless or stateful. Wazuh provides you a python template to start creating your magic...worried about Windows integration? convert your python scripts into executable files (exe) for Windows environments, all information on the web.
Active-Response: PoC description
In this proof of concept we are going to simulate a brute force attack on the ssh service running on one of the agents integrated in Wazuh. The objectives of the test are:
- the detection of the attack by Wazuh
- the activation of the desired response on all the integrated agents, either Linux or Windows, and in the Wazuh manager. The response will be the blocking of the ipv4 address of the attacking device. I have chosen a simple example to demonstrate how it works, to understand that we can apply policies in a distributed way based on a logic, and that this logic can be simple or complex, allowing us to tailor responses to incidents in a granular way.
The following image shows a high-level view of the Acive-Response process:
Active-Response: PoC configuration
This link -> active-response, is a good starting point before setting up Wazuh active response feature. And in this sub-link → active-respose configuration, you’ll find the configuration info.
Here is the configuration that I use in this Lab. The file is /var/ossec/etc/ossec.conf, you can edit it using your favorite tool or via WUI:
Here is the detailed configuration of this poof of concept:
Wondering how to quickly find out the agent id of each device? → Execute then following command in the Wazuh manager:
/var/ossec/bin/agent_control -l
Wazuh agent_control. List of available agents:
ID: 000, Name: linux-t101ha (server), IP: 127.0.0.1, Active/Local
ID: 001, Name: raspberrypi-station-2, IP: any, Active
ID: 002, Name: raspberrypi-station-1.home.local, IP: any, Active
ID: 003, Name: WINDOWS-LAPTOP, IP: any, Active
ID: 004, Name: linuxhost02, IP: any, Active
Of course that information is available from the WUI, select the agent and read the id:
Remember to restart Wazuh manager after changing the configuration.
Let's take a look at the commands
These files are located in /var/ossec/active-response/bin directory in Linux based systems, or in C:\Program Files\ossec-agent\active-response\bin directory in Windows systems.
领英推荐
Host-deny: Linux agents and Wazuh manager
The host-deny command is configured to use the host-deny script, that must be used with linux hosts/agents. The active response is configured to initiate the host-deny command on the host when the rule and alert conditions are met. Here is the code: https://github.com/wazuh/wazuh/blob/4.3/src/active-response/host-deny.c
If a /etc/hosts.deny file is not created in the agent or server, the response will create the file and it will include the offending ipv4 address (attacker ipv4 address).
Netsh: Windows agents
The netsh command acts in a similar way as the host-deny command but for Windows hosts/agents. The command will create a windows firewall rule that will block the attacker ipv4 address.
Here is the code: https://github.com/wazuh/wazuh/blob/4.3/src/active-response/netsh.c
It's time to have fun!, analyzing the attack on a Wazuh agent and the response of the Wazuh ecosystem.
Attack and detection: Suppose an asshole starts a brute force attack from 192.168.2.14 on one of our devices, linuxhost02, a debian system with an ipv4 address 192.168.2.8. What this attacker doesn't know is that this host runs a Wazuh agent. After several unsuccessful attempts with multiple users, an alarm is fired with a level higher than 7 and that event is associated to a sshd rule group…
Response: Almost immediately after the attack is detected, the response configured to mitigate the attack is initiated. Wazuh manager will force all the agents to execute the commands programmed to block the attacker's ipv4 address, in this case 192.168.2.14…
The following image shows the logging messages of the response in each of the agents, and because this is a stateful active-response, 600 secs later (10 min), the undo action is triggered...this works like a champ!
Here is the output of /etc/hosts.deny file of an IoT device, raspberry pi Zero 2W...TCPLB|YSOYP, IoT devices protected with a Wazuh XDR!
?? ~ cat /etc/hosts.deny??????????????????????????????????????????????
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
#????????????????? See the manual pages hosts_access(5) and hosts_options(5).
#
# Example:??? ALL: some.host.name, .some.domain
#???????????? ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
#
# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
ALL:192.168.2.14?
And the Windows 11 firewall* rule is there too:
*Note about Windows active-response with netsh command: It seems that it is necessary that windows must to manage the firewall. I use Bitdefender with this Windows 11 device, and if it is Bitdefender who manages the firewall, the netsh command does not work, it seems logical of course.
Conclusion
This is a basic roof of concept of Wazuh's active response capability, it simply works. Now it’s time to think what you can implement in your environment, adding your detection logic and your custom responses (stateless or stateful) for Linux or Windows hosts... you can use python scripts for AR...TCPLB|YSOYP!.
In the same link is a guide and python template to customize it, this is the direct link if you are a lazy person → Customizing the behavior of an AR Python script.
Documentation
Administrador de Sistemas
2 年Sorprendente!!!
Founder of Wazuh - Information security engineer. Advocate of open source software.
2 年This is an awesome example on how to use Wazuh. Thanks for sharing!