Mastering Wazuh’s Active Response: Block Malicious IPs with CoPilot & Wazuh!

SOCFortress
3 min readMay 24, 2024

--

🤖 Download CoPilot: https://github.com/socfortress/CoPilot

Introduction

In this post, we’ll explore a powerful new feature within CoPilot that allows you to run active response commands to block IP addresses on a local Windows endpoint’s firewall. Leveraging Wazuh’s active response capabilities, you can now enhance your network security with more automation and precision. Let’s dive into the steps required to set up and use this feature effectively.

Setting Up the Environment

Before you can start blocking IP addresses, you need to ensure your environment is properly configured. Here are the prerequisites:

  1. Update CoPilot: Make sure you have the latest version of Co-pilot installed.
  2. Install Python 11: This is necessary for running the active response script. You can install Python 11 using the provided command or through your preferred method.
Invoke-WebRequest -Uri "https://www.python.org/ftp/python/3.11.0/python-3.11.0-amd64.exe" -OutFile "$env:TEMP\python-3.11.0-amd64.exe"; Start-Process -FilePath "$env:TEMP\python-3.11.0-amd64.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1" -Wait -NoNewWindow
  1. Download the Windows Firewall Executable from the SOCFortress repo : This executable file will be invoked by the Wazuh manager to block IP addresses. You can download it via PowerShell using the following command:
Invoke-WebRequest -Uri "https://repo.socfortress.co/repository/socfortress/active-response/windows_firewall.exe" -OutFile "C:\Program Files (x86)\ossec-agent\active-response\bin\windows_firewall.exe" -Credential (New-Object System.Management.Automation.PSCredential ("socfortress_installer", (ConvertTo-SecureString "6cV8uJqnQffDa3Upx" -AsPlainText -Force)))

Configuration

Next, you’ll need to configure the Wazuh manager to recognize and run the active response command. Follow these steps:

  1. Edit the Wazuh Configuration: Open the Wazuh configuration file and add the new active response command. The command should point to the executable file you downloaded earlier.
<command>
<name>windows_firewall</name>
<executable>windows_firewall.exe</executable>
<timeout_allowed>no</timeout_allowed>
</command>

<active-response>
<disabled>no</disabled>
<command>windows_firewall</command>
<location>local</location>
<timeout>60</timeout>
</active-response>

2. Add Wazuh rules:

<group name="active_response,">
<rule id="600000" level="10">
<decoded_as>json</decoded_as>
<field name="active_response">windows_firewall</field>
<description>Windows Firewall Active Response triggered.</description>
<group>socfortress,</group>
<options>no_full_log</options>
</rule>
</group>

3. Restart Wazuh Manager: After updating the configuration, restart the Wazuh manager service to apply the changes.

Testing the Setup

With the setup complete, you can now test the active response feature. Here’s how:

❗ — See video linked at beginning of post for more detailed walkthrough ❗

  1. Invoke the Block Command: From the CoPilot interface, select the action to block an IP address. For example, to block 1.1.1.1, input the IP address and submit the command.
  2. Verify the Block: Check the local firewall settings on the endpoint to ensure the IP address is blocked. You can also try pinging the IP address to confirm it is blocked.

Additional Features

CoPilot and Wazuh provide additional features to enhance your monitoring and response capabilities:

  1. View Logs in Grafana: You can view logs of active response actions in Grafana. This helps in monitoring and verifying the execution of your commands.
  2. Unblock IP Addresses: Similar to blocking, you can also unblock IP addresses from the CoPilot interface. This feature is useful for managing temporary blocks.

Global Blocking

One of the powerful features of this setup is the ability to block IP addresses across all endpoints:

  1. Use the Overview Page: From the Co-pilot overview page, you can invoke the block command for all registered endpoints.
  2. Flexible Scripting: Wazuh’s active response allows for extensive customization. You can write and execute custom scripts for various active responses, making it a versatile tool for network security.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress
SOCFortress

Written by SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

Responses (1)