Closed damarisg closed 1 year ago
<active-response>
<disabled>no</disabled>
<command>host-deny</command>
<location>defined-agent</location>
<agent_id>001</agent_id>
<rules_id>5712</rules_id>
<timeout>5</timeout>
</active-response>
<active-response>
<disabled>no</disabled>
<repeated_offenders>1,2,3</repeated_offenders>
</active-response>
ossec.log
)2022/08/30 15:57:16 wazuh-execd: INFO: Adding offenders timeout: 1 (for #1)
2022/08/30 15:57:16 wazuh-execd: INFO: Adding offenders timeout: 2 (for #2)
2022/08/30 15:57:16 wazuh-execd: INFO: Adding offenders timeout: 3 (for #3)
It has attempted an ssh attack. To do so:
ssh randomuser@<IP>
For this case, it was expected to get blocked the IP as follows:
active-response
timeout)repeated_offender
value 1)repeated_offender
value 2)repeated_offender
value 3)repeated_offender
value 3) if the attack is before the 3 minutes timeout, otherwise start all over again (5 second, 1 min, 2 min ...), but it does not respond as is expected<timeout>-5</timeout>
There is no information in ossec.log
about the negative value.
2022/08/31 04:59:51 wazuh-execd[4395] execd.c:379 at ExecdRun(): DEBUG: Adding command 'active-response/bin/host-deny {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-08-31T04:59:52.256+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system. Non existent user.","id":"5712","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ubuntu1","ip":"FE80:0000:0000:0000:0077:D8FF:FE76:0EB8"},"manager":{"name":"ubuntu2"},"id":"1661921992.10741103","previous_output":"Aug 31 04:59:49 ubuntu-bionic sshd[4984]: Invalid user blimey from 192.168.56.23 port 56598\nAug 31 04:59:48 ubuntu-bionic sshd[4979]: Invalid user blimey from 192.168.56.23 port 56596\nAug 31 04:59:47 ubuntu-bionic sshd[4974]: Invalid user blimey from 192.168.56.23 port 56594\nAug 31 04:59:47 ubuntu-bionic sshd[4972]: Invalid user blimey from 192.168.56.23 port 56592\nAug 31 04:59:46 ubuntu-bionic sshd[4967]: Invalid user blimey from 192.168.56.23 port 56590\nAug 31 04:59:45 ubuntu-bionic sshd[4962]: Invalid user blimey from 192.168.56.23 port 56588\nAug 31 04:59:44 ubuntu-bionic sshd[4957]: Invalid user blimey from 192.168.56.23 port 56586","full_log":"Aug 31 04:59:50 ubuntu-bionic sshd[4989]: Invalid user blimey from 192.168.56.23 port 56600","predecoder":{"program_name":"sshd","timestamp":"Aug 31 04:59:50","hostname":"ubuntu-bionic"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.23","srcport":"56600","srcuser":"blimey"},"location":"/var/log/auth.log"},"program":"active-response/bin/host-deny"}}' to the timeout list, with a timeout of '-5s'.
2022/08/31 04:59:51 wazuh-execd[4395] execd.c:147 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/host-deny {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-08-31T04:59:52.256+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system. Non existent user.","id":"5712","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ubuntu1","ip":"FE80:0000:0000:0000:0077:D8FF:FE76:0EB8"},"manager":{"name":"ubuntu2"},"id":"1661921992.10741103","previous_output":"Aug 31 04:59:49 ubuntu-bionic sshd[4984]: Invalid user blimey from 192.168.56.23 port 56598\nAug 31 04:59:48 ubuntu-bionic sshd[4979]: Invalid user blimey from 192.168.56.23 port 56596\nAug 31 04:59:47 ubuntu-bionic sshd[4974]: Invalid user blimey from 192.168.56.23 port 56594\nAug 31 04:59:47 ubuntu-bionic sshd[4972]: Invalid user blimey from 192.168.56.23 port 56592\nAug 31 04:59:46 ubuntu-bionic sshd[4967]: Invalid user blimey from 192.168.56.23 port 56590\nAug 31 04:59:45 ubuntu-bionic sshd[4962]: Invalid user blimey from 192.168.56.23 port 56588\nAug 31 04:59:44 ubuntu-bionic sshd[4957]: Invalid user blimey from 192.168.56.23 port 56586","full_log":"Aug 31 04:59:50 ubuntu-bionic sshd[4989]: Invalid user blimey from 192.168.56.23 port 56600","predecoder":{"program_name":"sshd","timestamp":"Aug 31 04:59:50","hostname":"ubuntu-bionic"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.23","srcport":"56600","srcuser":"blimey"},"location":"/var/log/auth.log"},"program":"active-response/bin/host-deny"}}' after a timeout of '-5s'
This log comes out altogether at the same time and the IP is not blocked (timeout = -5 does not take effect) Second attack and so on work as mentioned in the first case.
<active-response>
<disabled>no</disabled>
<repeated_offenders>-1,2,3</repeated_offenders>
</active-response>
The ossec.log
in the agent side:
2022/08/31 05:18:20 wazuh-execd[13455] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: -1 (for #1)
2022/08/31 05:18:20 wazuh-execd[13455] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 2 (for #2)
2022/08/31 05:18:20 wazuh-execd[13455] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 3 (for #3)
2022/08/31 05:18:20 wazuh-execd[13473] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: -1 (for #1)
2022/08/31 05:18:20 wazuh-execd[13473] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 2 (for #2)
2022/08/31 05:18:20 wazuh-execd[13473] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 3 (for #3)
2022/09/14 17:37:19 wazuh-execd[3733] execd.c:379 at ExecdRun(): DEBUG: Adding command 'active-response/bin/host-deny {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-14T17:37:19.907+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system. Non existent user.","id":"5712","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ip-172-31-11-156","ip":"FE80:0000:0000:0000:0080:2CFF:FE31:5001"},"manager":{"name":"ip-172-31-3-33"},"id":"1663177039.1172393","previous_output":"Sep 14 17:37:18 ip-172-31-11-156 sshd[4654]: Invalid user fede from 172.31.6.132 port 34636\nSep 14 17:37:16 ip-172-31-11-156 sshd[4652]: Invalid user fede from 172.31.6.132 port 34634\nSep 14 17:37:15 ip-172-31-11-156 sshd[4650]: Invalid user fede from 172.31.6.132 port 34632\nSep 14 17:37:13 ip-172-31-11-156 sshd[4648]: Invalid user fede from 172.31.6.132 port 34630\nSep 14 17:37:11 ip-172-31-11-156 sshd[4646]: Invalid user fede from 172.31.6.132 port 34628\nSep 14 17:37:08 ip-172-31-11-156 sshd[4644]: Invalid user fede from 172.31.6.132 port 34626\nSep 14 17:36:57 ip-172-31-11-156 sshd[4641]: Invalid user fede from 172.31.6.132 port 34622","full_log":"Sep 14 17:37:19 ip-172-31-11-156 sshd[4656]: Invalid user fede from 172.31.6.132 port 34638","predecoder":{"program_name":"sshd","timestamp":"Sep 14 17:37:19","hostname":"ip-172-31-11-156"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"172.31.6.132","srcport":"34638","srcuser":"fede"},"location":"/var/log/auth.log"},"program":"active-response/bin/host-deny"}}' to the timeout list, with a timeout of '5s'.
2022/09/14 17:37:25 wazuh-execd[3733] execd.c:147 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/host-deny {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-14T17:37:19.907+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system. Non existent user.","id":"5712","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ip-172-31-11-156","ip":"FE80:0000:0000:0000:0080:2CFF:FE31:5001"},"manager":{"name":"ip-172-31-3-33"},"id":"1663177039.1172393","previous_output":"Sep 14 17:37:18 ip-172-31-11-156 sshd[4654]: Invalid user fede from 172.31.6.132 port 34636\nSep 14 17:37:16 ip-172-31-11-156 sshd[4652]: Invalid user fede from 172.31.6.132 port 34634\nSep 14 17:37:15 ip-172-31-11-156 sshd[4650]: Invalid user fede from 172.31.6.132 port 34632\nSep 14 17:37:13 ip-172-31-11-156 sshd[4648]: Invalid user fede from 172.31.6.132 port 34630\nSep 14 17:37:11 ip-172-31-11-156 sshd[4646]: Invalid user fede from 172.31.6.132 port 34628\nSep 14 17:37:08 ip-172-31-11-156 sshd[4644]: Invalid user fede from 172.31.6.132 port 34626\nSep 14 17:36:57 ip-172-31-11-156 sshd[4641]: Invalid user fede from 172.31.6.132 port 34622","full_log":"Sep 14 17:37:19 ip-172-31-11-156 sshd[4656]: Invalid user fede from 172.31.6.132 port 34638","predecoder":{"program_name":"sshd","timestamp":"Sep 14 17:37:19","hostname":"ip-172-31-11-156"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"172.31.6.132","srcport":"34638","srcuser":"fede"},"location":"/var/log/auth.log"},"program":"active-response/bin/host-deny"}}' after a timeout of '5s'
The first attack was reflected on the agent side ossec.log
file but the next attacks we not registered. On the other hand, the manager keeps getting alerts about the attacks.
alerts.json
file{"timestamp":"2022-09-14T17:41:28.142+0000","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent user","id":"5710","mitre":{"id":["T1110.001","T1021.004","T1078"],"tactic":["Credential Access","Lateral Movement","Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Password Guessing","SSH","Valid Accounts"]},"firedtimes":42,"mail":false,"groups":["syslog","sshd","authentication_failed","invalid_login"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"pci_dss":["10.2.4","10.2.5","10.6.1"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ip-172-31-11-156","ip":"FE80:0000:0000:0000:0080:2CFF:FE31:5001"},"manager":{"name":"ip-172-31-3-33"},"id":"1663177288.1214723","full_log":"Sep 14 17:41:27 ip-172-31-11-156 sshd[4755]: Invalid user fede from 172.31.6.132 port 34718","predecoder":{"program_name":"sshd","timestamp":"Sep 14 17:41:27","hostname":"ip-172-31-11-156"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"172.31.6.132","srcport":"34718","srcuser":"fede"},"location":"/var/log/auth.log"}
<active-response>
<disabled>no</disabled>
<repeated_offenders>1,2,3,4,5,6,7</repeated_offenders>
</active-response>
The ossec.log
in the agent side:
2022/08/31 05:29:53 wazuh-execd[22804] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 1 (for #1)
2022/08/31 05:29:53 wazuh-execd[22804] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 2 (for #2)
2022/08/31 05:29:53 wazuh-execd[22804] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 3 (for #3)
2022/08/31 05:29:53 wazuh-execd[22804] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 4 (for #4)
2022/08/31 05:29:53 wazuh-execd[22804] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 5 (for #5)
2022/08/31 05:29:53 wazuh-execd[22822] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 1 (for #1)
2022/08/31 05:29:53 wazuh-execd[22822] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 2 (for #2)
2022/08/31 05:29:53 wazuh-execd[22822] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 3 (for #3)
2022/08/31 05:29:53 wazuh-execd[22822] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 4 (for #4)
2022/08/31 05:29:53 wazuh-execd[22822] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 5 (for #5)
<active-response>
<disabled>no</disabled>
<repeated_offenders>1,2,3</repeated_offenders>
<repeated_offenders>4,5</repeated_offenders>
</active-response>
The ossec.log
in the agent side:
2022/08/31 06:01:09 wazuh-execd[30581] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 1 (for #1)
2022/08/31 06:01:09 wazuh-execd[30581] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 2 (for #2)
2022/08/31 06:01:09 wazuh-execd[30581] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 3 (for #3)
2022/08/31 06:01:09 wazuh-execd[30597] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 1 (for #1)
2022/08/31 06:01:09 wazuh-execd[30597] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 2 (for #2)
2022/08/31 06:01:09 wazuh-execd[30597] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 3 (for #3)
Take the first repeated_offenders
tag.
This behavior is not expected because it is supposed to take the second repeated_offenders
to overwrite the first appearance.
<active-response>
<disabled>no</disabled>
<command>netsh</command>
<location>defined-agent</location>
<agent_id>002</agent_id>
<rules_id>60122</rules_id>
<timeout>5</timeout>
</active-response>
<active-response>
<disabled>no</disabled>
<repeated_offenders>1,2,3</repeated_offenders>
</active-response>
ossec.log
)2022/08/30 15:57:16 wazuh-execd: INFO: Adding offenders timeout: 1 (for #1)
2022/08/30 15:57:16 wazuh-execd: INFO: Adding offenders timeout: 2 (for #2)
2022/08/30 15:57:16 wazuh-execd: INFO: Adding offenders timeout: 3 (for #3)
It has attempted an rdp attack. To do so:
hydra -l <user> -p <wrong-password> rdp://<IP>
For this case, it was expected to get blocked the IP as follows:
manager active-response timeout
)repeated_offender
value 1)repeated_offender
value 2)repeated_offender
value 3)repeated_offender
value 3) if the attack is before the 3 minutes timeout, otherwise start all over again (5 seconds, 1 min, 2 min ...), but it does not respond as is expected<timeout>-5</timeout>
There is no information in ossec.log
about the negative value.
The first attack does not execute the active response.
<active-response>
<disabled>no</disabled>
<repeated_offenders>-1,2,3</repeated_offenders>
</active-response>
The ossec.log
in the agent side:
2022/09/13 18:10:36 wazuh-agent[4460] config.c:139 at ExecdConfig(): INFO: Adding offenders timeout: -1 (for #1)
2022/09/13 18:10:36 wazuh-agent[4460] config.c:139 at ExecdConfig(): INFO: Adding offenders timeout: 2 (for #2)
2022/09/13 18:10:36 wazuh-agent[4460] config.c:139 at ExecdConfig(): INFO: Adding offenders timeout: 3 (for #3)
<active-response>
<disabled>no</disabled>
<repeated_offenders>1,2,3,4,5,6,7</repeated_offenders>
</active-response>
The ossec.log
in the agent side:
2022/09/14 12:43:25 wazuh-agent[6000] config.c:139 at ExecdConfig(): INFO: Adding offenders timeout: 1 (for #1)
2022/09/14 12:43:25 wazuh-agent[6000] config.c:139 at ExecdConfig(): INFO: Adding offenders timeout: 2 (for #2)
2022/09/14 12:43:25 wazuh-agent[6000] config.c:139 at ExecdConfig(): INFO: Adding offenders timeout: 3 (for #3)
2022/09/14 12:43:25 wazuh-agent[6000] config.c:139 at ExecdConfig(): INFO: Adding offenders timeout: 4 (for #4)
2022/09/14 12:43:25 wazuh-agent[6000] config.c:139 at ExecdConfig(): INFO: Adding offenders timeout: 5 (for #5)
<active-response>
<disabled>no</disabled>
<repeated_offenders>1,2,3</repeated_offenders>
<repeated_offenders>4,5</repeated_offenders>
</active-response>
The ossec.log
in the agent side:
2022/09/14 13:44:52 wazuh-agent[4512] config.c:139 at ExecdConfig(): INFO: Adding offenders timeout: 1 (for #1)
2022/09/14 13:44:52 wazuh-agent[4512] config.c:139 at ExecdConfig(): INFO: Adding offenders timeout: 2 (for #2)
2022/09/14 13:44:52 wazuh-agent[4512] config.c:139 at ExecdConfig(): INFO: Adding offenders timeout: 3 (for #3)
Take the first repeated_offenders
tag.
This behavior is not expected because it is supposed to take the second repeated_offenders
to overwrite the first appearance.
Blocked by https://github.com/wazuh/wazuh/issues/15171
Description
This issue aims to implement, the lack of the ability to repeat offenders in active response for windows. The same functionality of repeated offenders in Linux for Windows.
Usefull Documentation:
Use cases
Case 1: If there is a recurrence before the timeout expires
### Settings ```Case 2: Timeout negative value.
### Settings ```Case 3: Timeout valid where a repeated_offenders negative value.
### Settings ```Case 4: Repeat_offenders exceeds the established recurrence limit.
### Settings ```Case 5: Repeat_offenders values are set more than once.
### Settings ```Development stage