Text only | Text with Images

OPNsense Forum

Archive => 24.1, 24.4 Legacy Series => Topic started by: _tribal_ on March 04, 2024, 12:34:55 AM

Title: Wazuh active response dosn't work
Post by: _tribal_ on March 04, 2024, 12:34:55 AM
Trying to configure wazuh active response... events to the server wazuh sends...and triggered, but the plugin on the router gives an error :o:
Code Select
wazuh-execd[8576] execd.c 271 at ExecdRun(): DEBUG: Active response won't be added to timeout list. Message not received with alert keys from script 'active-response/bin/opnsense-fw'

and  in SERVICES: WAZUH AGENT: LOGFILE / OSSEC:
Code Select
wazuh-logcollector[70753] logcollector.c 1101 at handle_file(): DEBUG: (1963): Unable to open file '/var/ossec/logs/active-responses.log'.

wazuh server settings:
Code Select
  <command>
    <name>opnsense-fw</name>
    <executable>opnsense-fw</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>opnsense-fw</command>
    <location>all</location>
    <rules_group>attack</rules_group>
    <timeout>180</timeout>
  </active-response>

opnsense wazuh plugin settings:
Code Select
  <!-- Active response -->
  <active-response>
    <disabled>no</disabled>
    <repeated_offenders>180,1800,3600,14400,28800</repeated_offenders>
  </active-response>

I have tried different variants with the exact agent index and without repeated blocking, the error is still present.

Who has this plugin working, can you tell me what I'm doing wrong? :'(

os-wazuh-agent 1.0_1
OPNsense 24.1.2_1-amd64 OPNsense 24.1.4-amd64
FreeBSD 13.2-RELEASE-p10
OpenSSL 3.0.13

UPD. maybe it's related with health check finds 2 errors in wazuh agent plugin:
Code Select
wazuh-agent is missing a required shared library: libthr.so.3
wazuh-agent is missing a required shared library: libc.so.7
Title: Re: Wazuh active response dosn't work
Post by: mimugmail on March 21, 2024, 10:21:31 PM
Active response is on the Manager, not the agent, correct?
Title: Re: Wazuh active response dosn't work
Post by: _tribal_ on March 22, 2024, 12:12:39 AM
I didn't quite understand the question.
Active response hould be configured in both agent and manager. I took the settings for agent (opnsense plugin) and manager (separate server) from OPNsense documentation, with a small modification from Wazuh documentation (added intervals of address repeat blocking). But when the rule is triggered in the manager, the address that should be added to the alias for blocking is not forwarded to the agent, instead I get an error message, which I showed in my post.
Title: Re: Wazuh active response dosn't work
Post by: mimugmail on March 22, 2024, 08:20:49 AM
Active response doesnt need an agent. The manager can execute the script and send the api call to OPNsense :)
Title: Re: Wazuh active response dosn't work
Post by: _tribal_ on March 22, 2024, 11:21:22 AM
Okay, then why am I seeing this error in the wazuh agent log?
Code Select
wazuh-execd[8576] execd.c 271 at ExecdRun(): DEBUG: Active response won't be added to timeout list. Message not received with alert keys from script 'active-response/bin/opnsense-fw'

And ip address does not appear in FIREWALL: ALIASES: __wazuh_agent_drop  ::)

That's what I wrote about in the original post.
Text only | Text with Images