Block Unauthorized Users with Active Response! - Let's Build a Host Intrusion Detection System 

ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-aK85aNXhU-E.html :)

There should have been a link in the top right of the video, I think it is a small and circled "i" but I will make sure to include mentioned videos in my descriptions going forward Thanks for watching and for the feedback!

@@taylorwalton_socfortress thank you :) love your vids

Hey Marcio, apologies for the late reply. I am having a hard time understanding what you are looking to do. Are you looking to add any IP address that triggers this alert to a CDB list that is contained within a rule to automatically drop any traffic sent from an IP within that list?

@@taylorwalton_socfortress I managed to create an active response for vulnerability scan in rule.id 5706, more for example rule.id 5701 (Exploit Public-Facing Application) MITER ATT & CK - T1190. Do I create the same way? firewall-drop local 007 5706 60 30,60,120

Hey Marcio, in your example you need to change the tag from local to defined-agent since you only want active response to run on the agent id 007. Other options are described here: documentation.wazuh.com/current/user-manual/reference/ossec-conf/active-response.html#location You can also add multiple rule id within the same active response tag with comma seperation. Taking your example above would enable active response for rules 5706 and 5701: firewall-drop defined-agent 007 5706,5701 60 30,60,120 Hope this helps

@@taylorwalton_socfortress If I want to ban any violation of these rules, can I remove the timeout and repeat_offenders?

Within the block of the firewall-drop.sh, you would change yes to no documentation.wazuh.com/current/user-manual/capabilities/active-response/remediation-configuration.html