plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

os-wazuh-agent: Active response "add" and "abort" events at the same time

Open thwien opened this issue 7 months ago • 0 comments

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

  • [x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
  • [x] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
  • [x] The title contains the plugin to which this issue belongs

Describe the bug Almost all active response events "add" and "abort" ip addresses exactly at the same time. As a result attacking ip addresses are not blocked unfortunately. Debugging the Wazuh agent logs shows only one "add" event, but no "abort" event. Therefore it seems that not the Wazuh agent tries to "abort" these events.

I edited /var/ossec/active-response/bin/opnsense-fw manually to disable code related to "abort" and "continue" and everything works as expected.

I guess there is something wrong in this code, but I did not figured out the reason unfortunately.

I had also a look to Linux servers with the same Wazuh agent version, but there are "abort" events rarely.

I would appreciate if someone could have a look to this active response code.

Thanks a lot and keep up your good work on OPNsense.

To Reproduce Steps to reproduce the behavior:

  1. Go to 'Services: Wazuh Agent: Logfile / active-responses"
  2. Search for 'abort'
  3. Extract the ip address from "srcip"
  4. Search for this ip address
  5. You see two events at exactly the same time. An "add" event and an "abort" event.

Expected behavior After an "add" event does not follow an "abort" or "continue" event, if it is not initiated by the wazuh agent.

Relevant log files Received : {"version": 1, "origin": {"name": "node01", "module": "wazuh-execd"}, "command": "add", "parameters": {"extra_args": [], "alert": {"timestamp": "2025-05-28T08:31:32.226+0200", "rule": {"level": 10, "description": "Multiple web server 400 error codes from same source ip.",[...]

Received : {"version": 1, "origin": {"name": "node01", "module": "wazuh-execd"}, "command": "abort", "parameters": {"extra_args": [], "alert": {"timestamp": "2025-05-28T08:31:32.226+0200", "rule": {"level": 10, "description": "Multiple web server 400 error codes from same source ip." [...]

Environment OPNsense 25.1.7_4-amd64 os-wazuh-agent 1.2_1 Wazuh-Agent v4.12.0

thwien avatar Jun 03 '25 08:06 thwien