Skip to content

Wazuh agent repeated offenders #5116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
AdSchellevis merged 1 commit into from
Jan 6, 2026
Merged

Wazuh agent repeated offenders #5116

AdSchellevis merged 1 commit into from
Jan 6, 2026

Conversation

@mbedworth
Copy link
Contributor

@mbedworth mbedworth commented Jan 1, 2026

Summary

This PR adds GUI configuration for the Wazuh repeated_offenders active response setting and fixes a pre-existing bug in the opnsense-fw.conf template.

Changes

New Feature: Repeated Offenders Configuration

Adds a text field in Services > Wazuh Agent > Settings > Active Response that allows configuring escalating block timeouts for repeat offenders.

Example value: 30,60,120

  • 1st offense: normal timeout from manager
  • 2nd offense: 30 minutes
  • 3rd offense: 60 minutes
  • 4th+ offense: 120 minutes

This setting was previously only configurable by manually editing files in ossec_config.d/.

Bug Fix: opnsense-fw.conf template

Fixed a bug where the template referenced OPNsense.WazuhAgent.wazuh_command.fw_alias_ignore instead of the correct path OPNsense.WazuhAgent.active_response.fw_alias_ignore. This caused template generation to fail when using the firewall alias ignore feature.

Files Changed

File Change
models/OPNsense/WazuhAgent/WazuhAgent.xml Added repeated_offenders TextField, bumped version to 1.0.3
controllers/OPNsense/WazuhAgent/forms/settings.xml Added UI field for repeated_offenders
service/templates/OPNsense/WazuhAgent/ossec.conf Moved active-response block inline (required for variable access)
service/templates/OPNsense/WazuhAgent/opnsense-fw.conf Fixed wazuh_command -> active_response reference
service/templates/OPNsense/WazuhAgent/ossec_config.d/005-active-response.conf DELETED (moved to ossec.conf)

Technical Notes

The active-response configuration block was moved from ossec_config.d/005-active-response.conf to the main ossec.conf template. This is required because config fragments included with without context cannot access template variables directly (only helpers.* functions work). Since repeated_offenders needs variable interpolation, the block must be in the main template.

Testing

Tested on:

  • OPNsense 25.7.10
  • os-wazuh-agent 1.2_3
  • wazuh-agent 4.12.0
  • FreeBSD 14.3-RELEASE-p7

Verified:

  • Template generates correctly with and without repeated_offenders value
  • Agent loads configured timeout values on startup
  • Active response blocking functions correctly
  • Escalation triggers for repeat offenders

Screenshots

The new field appears in the Active Response section:

[ Active response ]
  ☑ Enable
  Firewall command ignore: [dropdown]
  Repeated offenders: [30,60,120___________]
  ☐ Wazuh remote commands (advanced)

AdSchellevis
AdSchellevis reviewed Jan 1, 2026
View reviewed changes
security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw
"parameters":{
"keys": [event['parameters']['alert']['rule']['id']]
unique_key = "%s-%s" % (event['parameters']['alert']['rule']['id'], srcip)
"keys": [unique_key]
Copy link
Member

@AdSchellevis AdSchellevis Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mbedworth did you rebase your branch? this change looks like the one we merged recently

Copy link
Contributor Author

@mbedworth mbedworth Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my fault let me try that again.... New to this process sorry.

Copy link
Member

@AdSchellevis AdSchellevis Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mbedworth no problem, we all learn every day.

AdSchellevis
AdSchellevis reviewed Jan 1, 2026
View reviewed changes
security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf Outdated
</client_buffer>

<!-- Active response -->
<active-response>
Copy link
Member

@AdSchellevis AdSchellevis Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we better remove the without context below to keep the structure as is, there's a risk 005-active-response.conf will still exist and cause issues for some.

@mbedworth mbedworth force-pushed the wazuh-agent-repeated-offenders branch from 6ebaa9a to 93a1355 Compare January 6, 2026 00:30
@mbedworth
[wazuh-agent] Add repeated_offenders config, fix template issues
4a606fc 
- Add repeated_offenders field to active response settings
- Remove 'without context' from ossec.conf include loop to allow
  variable access in config fragments
- Fix opnsense-fw.conf template bug: wazuh_command -> active_response
- Bump model version to 1.0.3
@mbedworth mbedworth force-pushed the wazuh-agent-repeated-offenders branch from 93a1355 to 4a606fc Compare January 6, 2026 00:38
@mbedworth
Copy link
Contributor Author

mbedworth commented Jan 6, 2026
edited
Loading

Hope that worked!

Summary
Adds GUI configuration for the Wazuh repeated_offenders active response setting and fixes two template issues.
Changes

New feature: repeated_offenders field in Active Response settings - allows comma-separated escalating timeout values (e.g., 60,90,120,180,240)
Template fix: Removed without context from ossec.conf include loop - allows config fragments to access template variables
Bug fix: Fixed opnsense-fw.conf referencing wrong path (wazuh_command → active_response)

Files Changed

WazuhAgent.xml - Added field, bumped version to 1.0.3
settings.xml - Added UI field
ossec.conf - Removed without context
ossec_config.d/005-active-response.conf - Added repeated_offenders output
opnsense-fw.conf - Fixed variable path

Tested On

OPNsense 25.7.10 / os-wazuh-agent 1.2_3 / wazuh-agent 4.12.0

@mbedworth mbedworth requested a review from AdSchellevis January 6, 2026 02:49
@AdSchellevis AdSchellevis self-assigned this Jan 6, 2026
@AdSchellevis AdSchellevis added the feature Adding new functionality label Jan 6, 2026
@AdSchellevis
Copy link
Member

AdSchellevis commented Jan 6, 2026

@mbedworth clean and simple, nice, thanks!

@AdSchellevis AdSchellevis merged commit 565bd02 into opnsense:master Jan 6, 2026
@mbedworth mbedworth deleted the wazuh-agent-repeated-offenders branch January 6, 2026 23:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AdSchellevis AdSchellevis Awaiting requested review from AdSchellevis

Assignees

@AdSchellevis AdSchellevis

Labels

feature Adding new functionality

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mbedworth @AdSchellevis