Open in app

Sign in

Write

Sign in

Auto Block Malicious IPs With Wazuh’s Active Response

OpenSecure
4 min readMay 1, 2022

Windows Firewall and Wazuh’s Active Response

Intro

Wazuh’s Active Response feature provides a way for us to dynamically run any type of task at the time of the alert. This post details how we can block a known malicious IP that a Windows host attempted to connect to within real time. Previously, we implemented a similar strategy on a Linux host:

But now we will build a PowerShell script that can be used to create a Windows Firewall block rule with data observed within the Wazuh alert.

Requirements

Windows Agent Scripts

Let’s first deploy the two scripts (PowerShell and CMD) that Wazuh will invoke when running the Active Response. Wazuh will invoke our firewall.cmd script, which will call our windowsfirewall.ps1 script via PowerShell 7. I placed these scripts in the `C:\Program Files (x86)\ossec-agent\active-response\bin` directory on the endpoint.

$INPUT_JSON = Read-Host

Allows us to read the full alert that is being sent to our endpoint from the Wazuh Manager.

$command = $INPUT_ARRAY."command"

Strips out the value of the command sent from the Wazuh Manager and assigned to the command variable. Wazuh either sends an add , if adding the IP to a blocklist, or an delete if removing it from the blacklist.

$hostip = (Get-WmiObject -Class Win32_NetworkAdapterConfiguration | where {$_.DHCPEnabled -ne $null -and $_.DefaultIPGateway -ne $null}).IPAddress | Select-Object -First 1

Gets the IP address of the endpoint and assigns it to the hostip variable.

$destinationip = $INPUT_ARRAY."parameters"."alert"."data"."misp"."value"

Strips out the value of the destination IP within the field `data.misp.value` and assigns it to the destinationip variable. If the IP address for your use case is contained in a different field name, simply replace `data.misp.value` with your own.

#Add Destination IP to Windows Firewall
if ( $command -eq 'add' -AND $destinationip -ne '127.0.0.1' -And $destinationip -ne '0.0.0.0' -And $destinationip -ne $hostip ){New-NetFirewallRule -DisplayName "Wazuh Active Response - $destinationip" -Direction Outbound –LocalPort Any -Protocol TCP -Action Block -RemoteAddress $destinationipecho  "$destinationip added to blocklist via Windows Firewall" | ConvertTo-Json -Compress | Out-File -width 2000 C:\"Program Files (x86)"\ossec-agent\active-response\active-responses.log -Append -Encoding ascii}

Creates a new Windows Firewall Rule that adds the stripped out IP address to a new rule unless the stripped out destination IP is either 127.0.0.1, 0.0.0.0, our its own IP address . The log entry destinationip added to blocklist via Windows Firewall is added to the C:\Program Files (x86)\ossec-agent\active-response\active-responses.log file.

#Remove Destination IP from Windows Firewall
if ( $command -eq 'delete' -AND $destinationip -ne '127.0.0.1' -And $destinationip -ne '0.0.0.0' -And $destinationip -ne $hostip ){Remove-NetFirewallRule -DisplayName "Wazuh Active Response - $destinationip"echo  "$destinationip removed to blocklist via Windows Firewall" | ConvertTo-Json -Compress | Out-File -width 2000 C:\"Program Files (x86)"\ossec-agent\active-response\active-responses.log -Append -Encoding ascii}

Removes the previously blocked IP after the timeout period has expired.

Wazuh Manager

Now we need to configure Wazuh so that it knows when to run this script. Let’s take advantage of our previous MISP integration to analyze destination IPs within all Sysmon Event 3 Alerts (Network Connections). The MISP integration can be followed here:

Wazuh And MISP Integration

Interacting With MISP’s API to detect IoCs within our Wazuh Alerts.

opensecure.medium.com

Our Windows Firewall Active Response script can be configured to trigger when MISP has a match on an IP address that it received from the Wazuh Manager.

In our case, we are focused on rule.id:100622 . Open up the ossec.conf file on your Wazuh Manager and add the below:

<command>
    <name>windowsfirewall</name>
    <executable>firewall.cmd</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>
 <active-response>
   <disabled>no</disabled>
   <command>windowsfirewall</command>
   <location>local</location>
   <rules_id>100622</rules_id>
   <timeout>60</timeout>
  </active-response>

The above instructs the Wazuh Manager to run the firewall.cmd script on the agent that triggered a 100622 alert (MISP — IoC found in Threat Intel — Category: Network activity, Attribute: 139.60.161.74)

Add the below to the ossec.conf file on Wazuh Agent:

<active-response>
  <disabled>no</disabled>
  <repeated_offenders>60,300,600</repeated_offenders>
 </active-response>

Restart the Wazuh Manager and the Agent.

Testing

I will use below command to generate a Network Connection to an IP address that is contained within my MISP instance.

cmd.exe /c msiexec /q /I "https://139.60.161.74"

We now see the MISP IoC Alert trigger:

Now if we check our Windows Firewall on the endpoint, we see the IP added to a deny rule:

Any traffic to that IP is now blocked:

Wazuh
Infosec
Windows Firewall
Endpoint Security

--

--

OpenSecure

Written by OpenSecure

156 Followers

Focusing on Open Source cybersecurity products that provide a robust and scalable solution that can be customized to integrate with any network.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams