{"id":38611195,"url":"https://github.com/sjinks/wazuh-ar-ipset","last_synced_at":"2026-01-17T08:44:42.632Z","repository":{"id":328263289,"uuid":"1112735035","full_name":"sjinks/wazuh-ar-ipset","owner":"sjinks","description":"Wazuh Active Response Script to Add IP to `ipset` List","archived":false,"fork":false,"pushed_at":"2025-12-12T02:04:12.000Z","size":36,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-12-13T08:18:02.331Z","etag":null,"topics":["active-response","firewall","ipset","security","wazuh"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sjinks.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"custom":["https://www.paypal.com/donate/?hosted_button_id=SAG6877JDJ3KU","https://send.monobank.ua/jar/7rosVfiwKM"]}},"created_at":"2025-12-09T03:03:05.000Z","updated_at":"2025-12-12T02:04:14.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/sjinks/wazuh-ar-ipset","commit_stats":null,"previous_names":["sjinks/wazuh-ar-ipset"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/sjinks/wazuh-ar-ipset","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sjinks%2Fwazuh-ar-ipset","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sjinks%2Fwazuh-ar-ipset/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sjinks%2Fwazuh-ar-ipset/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sjinks%2Fwazuh-ar-ipset/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sjinks","download_url":"https://codeload.github.com/sjinks/wazuh-ar-ipset/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sjinks%2Fwazuh-ar-ipset/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28504460,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T06:57:29.758Z","status":"ssl_error","status_checked_at":"2026-01-17T06:56:03.931Z","response_time":85,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["active-response","firewall","ipset","security","wazuh"],"created_at":"2026-01-17T08:44:41.949Z","updated_at":"2026-01-17T08:44:42.608Z","avatar_url":"https://github.com/sjinks.png","language":"C","funding_links":["https://www.paypal.com/donate/?hosted_button_id=SAG6877JDJ3KU","https://send.monobank.ua/jar/7rosVfiwKM"],"categories":[],"sub_categories":[],"readme":"# wazuh-ar-ipset\n\nStateful Wazuh Active Response (AR) script that manages Linux `ipset` sets based on Wazuh alerts.\n\n- Language: C23 (via CMake)\n- Dependencies: `libipset`, `libcjson` (cJSON)\n- Environment: executed by `wazuh-execd`, typically as `root`, on Wazuh agents.\n\nThis project is designed to be **safe first** (it runs as root and talks to the kernel) and **fast enough**, but not micro‑optimized.\n\n## What it does\n\n- Reads a Wazuh Active Response JSON message from `stdin`.\n- Extracts the source IP from the alert and resolves the target ipset name using `parameters.extra_args` (IPv4/IPv6 sets).\n- Implements the **stateful AR protocol**:\n  - For `command: \"add\"`:\n    - Sends a `check_keys` control message with the IP back to Wazuh over `stdout`.\n    - Waits for a response with `command: \"continue\"` or `\"abort\"`.\n    - On `continue`, adds the IP to the configured ipset.\n    - On `abort`, logs and exits without modifying ipsets.\n  - For `command: \"delete\"`:\n    - Deletes the IP from the configured ipset.\n\nAll interaction with ipsets is done via `libipset` through a small wrapper layer in `src/ipset.*`.\n\n## Building\n\nThis project uses CMake and assumes `libipset` and `libcjson` development packages are installed.\n\nOn a typical Debian/Ubuntu‑like system you might need (names may vary by distro):\n\n```bash\nsudo apt-get update\nsudo apt-get install -y libipset-dev libcjson-dev cmake build-essential\n```\n\nConfigure and build:\n\n```bash\ncd /workspaces/wazuh-ar-ipset  # or your clone path\ncmake -S . -B build\ncmake --build build --clean-first -v\n```\n\nThe resulting binary (for example `firewall-ipset`) should appear in the `build/` directory.\n\n## Installing into Wazuh\n\nOn the Wazuh **agent** where you want to run this AR:\n\n1. Copy the built binary into the agent active‑response directory (adjust path and name as needed):\n\n  ```bash\n  sudo install -o root -g wazuh -m 750 build/firewall-ipset /var/ossec/active-response/bin/firewall-ipset\n  ```\n\n2. On the Wazuh **manager**, configure the command and active response in `/var/ossec/etc/ossec.conf` (simplified example). Note that the command is expected to run as `root` so that `ipset` operations succeed:\n\n  ```xml\n  \u003cossec_config\u003e\n    \u003ccommand\u003e\n      \u003cname\u003efirewall-ipset\u003c/name\u003e\n      \u003cexecutable\u003efirewall-ipset\u003c/executable\u003e\n      \u003ctimeout_allowed\u003eyes\u003c/timeout_allowed\u003e\n      \u003c!-- extra_args[0] = IPv4 set, extra_args[1] = IPv6 set (space-separated) --\u003e\n      \u003cextra_args\u003ear-ipset-v4 ar-ipset-v6\u003c/extra_args\u003e\n    \u003c/command\u003e\n\n    \u003cactive-response\u003e\n      \u003cdisabled\u003eno\u003c/disabled\u003e\n      \u003ccommand\u003efirewall-ipset\u003c/command\u003e\n      \u003clocation\u003elocal\u003c/location\u003e\n      \u003c!-- adjust rule IDs / groups as needed --\u003e\n      \u003crules_id\u003e12345\u003c/rules_id\u003e\n      \u003ctimeout\u003e600\u003c/timeout\u003e\n    \u003c/active-response\u003e\n  \u003c/ossec_config\u003e\n  ```\n\n3. Restart Wazuh components to apply changes:\n\n  ```bash\n  sudo systemctl restart wazuh-agent\n  sudo systemctl restart wazuh-manager\n  ```\n\nPlease adapt names, rule IDs, and timeouts to your environment.\n\n### Creating ipset sets\n\nBefore using this Active Response, you must create the ipset sets referenced in `extra_args` (for example, `ar-ipset-v4` and `ar-ipset-v6`). Run the following commands on the Wazuh agent as `root`:\n\n```bash\n# IPv4 set (hash of IPv4 addresses)\nsudo ipset create ar-ipset-v4 hash:ip family inet\n\n# IPv6 set (hash of IPv6 addresses)\nsudo ipset create ar-ipset-v6 hash:ip family inet6\n```\n\nThese commands create two simple hash-based sets suitable for blocking IP addresses. Adjust the names and ipset options (e.g., `timeout`, `maxelem`) as needed for your environment.\n\n## Wazuh Active Response protocol\n\nThis binary follows Wazuh’s **stateful Active Response** pattern. For full details, see the official documentation:\n\n- Wazuh docs: [Custom Active Response scripts](https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response-scripts.html)\n\nKey points:\n\n- Input is a single JSON object per invocation, read from `stdin`.\n- For stateful ARs, the script can send a `check_keys` control message and must wait for Wazuh’s response (`continue` / `abort`).\n- Each JSON message exchanged is sent as a single line terminated by `\\n`.\n - `parameters.extra_args` MUST be an array of two elements:\n   - index 0: ipset name used for IPv4 addresses\n   - index 1: ipset name used for IPv6 addresses\n\n### State diagram\n\nThe following Mermaid state diagram summarizes the main stateful AR flow implemented by this binary:\n\n```mermaid\nstateDiagram-v2\n  [*] --\u003e ReadAlert\n  ReadAlert: Read alert JSON from stdin\n\n  ReadAlert --\u003e ParseAlert\n  ParseAlert: Parse JSON, extract srcip, command, list name\n\n  ParseAlert --\u003e DecideCommand\n  DecideCommand: Decide add/delete\n\n  DecideCommand --\u003e AddFlow: command == \"add\"\n  DecideCommand --\u003e DeleteFlow: command == \"delete\"\n\n  state AddFlow {\n    [*] --\u003e SendControl\n    SendControl: Send check_keys control message\n    SendControl --\u003e WaitResponse\n    WaitResponse: Wait for response JSON\n    WaitResponse --\u003e HandleResponse\n    HandleResponse: Parse response.command\n    HandleResponse --\u003e AddIp: response.command == \"continue\"\n    HandleResponse --\u003e Abort: response.command == \"abort\" or invalid\n    AddIp: Add IP to ipset\n    AddIp --\u003e ExitAdd\n    Abort: Log abort/invalid\n    Abort --\u003e ExitAdd\n    ExitAdd: Exit with OS_SUCCESS/OS_FAILURE\n  }\n\n  state DeleteFlow {\n    [*] --\u003e DeleteIp\n    DeleteIp: Delete IP from ipset\n    DeleteIp --\u003e ExitDelete\n    ExitDelete: Exit with OS_SUCCESS/OS_FAILURE\n  }\n\n  ExitAdd --\u003e [*]\n  ExitDelete --\u003e [*]\n```\n\n## Testing locally\n\nYou can exercise the binary locally by piping a sample AR JSON message into it. This does **not** fully emulate Wazuh, but is useful to verify parsing and basic error handling.\n\n1. Build the project (see **Building** above), then from the repo root create a minimal two-line test file. This example uses placeholder ipset names `ar-ipset-v4` and `ar-ipset-v6` that should already exist on the system:\n\n  ```bash\n  cat \u003e sample-add.json \u003c\u003c 'EOF'\n  {\"version\":1,\"origin\":{\"name\":\"test-agent\",\"module\":\"wazuh-execd\"},\"command\":\"add\",\"parameters\":{\"extra_args\":[\"ar-ipset-v4\",\"ar-ipset-v6\"],\"alert\":{\"data\":{\"srcip\":\"192.0.2.10\"}},\"program\":\"firewall-ipset\"}}\n  {\"version\":1,\"origin\":{\"name\":\"test-manager\",\"module\":\"wazuh-execd\"},\"command\":\"continue\",\"parameters\":{}}\n  EOF\n  ```\n\n   - **Line 1** is the alert message with `command: \"add\"`.\n   - **Line 2** is the simulated Wazuh response with `command: \"continue\"`.\n\n2. Run the binary as `root`, feeding it both JSON messages via `stdin`:\n\n  ```bash\n  sudo ./build/firewall-ipset \u003c sample-add.json\n  ```\n\n   The program will:\n   - Read line 1 (alert), parse it, and print a `check_keys` control message to `stdout`.\n   - Read line 2 (response), see `command: \"continue\"`, and attempt to add the IP to the configured ipset.\n\n3. To test the `delete` path, create a similar one-line file, for example:\n\n  ```bash\n  echo '{\"version\":1,\"origin\":{\"name\":\"test-agent\",\"module\":\"wazuh-execd\"},\"command\":\"delete\",\"parameters\":{\"extra_args\":[\"ar-ipset-v4\",\"ar-ipset-v6\"],\"alert\":{\"data\":{\"srcip\":\"192.0.2.10\"}},\"program\":\"firewall-ipset\"}}' \u003e sample-delete.json\n  sudo ./build/firewall-ipset \u003c sample-delete.json\n  ```\n\n   In this case, the program will directly attempt to remove the IP from the configured ipset and then exit.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsjinks%2Fwazuh-ar-ipset","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsjinks%2Fwazuh-ar-ipset","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsjinks%2Fwazuh-ar-ipset/lists"}