Active response rules in 0015-ossec_rules.xml

[OSSIM Notify]

Good Morning,

Prior to the recent changes to Active Response, we used to monitor AR events using rules 600 and 607 from the 0015-ossec_rules.xml file.  These rules no longer seem to fire when our custom scripts are run successfully via Active Response.  We also attempted to monitor for rules 650 and 657 but have had no success thus far.

Basically, we are trying to understand what default rules should be triggered when a custom script receives its "add" command so that we can monitor that event for troubleshooting and alerting.  Any insight would be greatly appreciated.  Thanks in advance.

[Miguel Angel Cazajous]

Hi ossim,

Since 4.2.0 Active Response had a big change. The information sent to the module is no longer sent via in-line argument, but via STDIN. You need to adapt your old scripts to work with this update.

https://documentation.wazuh.com/current/release-notes/release-4-2-0.html#breaking-changes

Basically, every active-response will receive a full JSON alert as input which each active-response is in charge to parse and extract the required fields. More detailed information can be found here.

https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response.html

There we share a set of scripts that works on Linux and Windows to parse the information and perform the actions.

Those rules you mention still work as before. As an example, a very often use of rule 657 is to know when a file is deleted, let's say when it is integrated with Virus Total to remove a threat.

Let me know if that is useful. In case you already took a look at those links let me prepare an environment so we can take a deeper look at this. Regards!

[OSSIM Notify]

Hi Miguel,

Thank you for your prompt response.  We did rewrite our active response scripts to accommodate the change to AR in the recent patch.  We used the Python example provided in the documentation as a basis for our new scripts, and they do trigger and execute successfully.  So that is working well!  However, it seems that when these "add" events trigger the script successfully, we are not seeing an accompanying event for rule 650 or 657 in Wazuh and this has us puzzled.

We would like to be able to track AR events in Wazuh by searching on Event ID 657 (as we used to do with Event ID 607 before the recent update), but it does not seem to be working for us.  Any insight or assistance that you can provide would be greatly appreciated.  Thanks.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9fe1b64f-7c89-471a-9713-5f5dafa353a5n%40googlegroups.com.

[Miguel Angel Cazajous]

Hi Ossim,

I was testing a simple Virus Total integration to trigger the 657 rule unsuccessfully.
With 607 just works as shown below.



But I'm not getting events with  657 ID. I would need to take a deeper look and also discuss this with the AR and rule teams to give you a better approach.

Sorry for the inconvenience and late response.

[OSSIM Notify]

Hi Miguel,

Thank you for the update on your findings.  I am not able to reproduce your results in my test environment which is Wazuh 4.2.4.  My new Python scripts (based off of the documentation example) trigger successfully and run as expected, however they are not generating any events for rules 600, 607, 650 or 657 as far as I can tell.

Please advise when you hear back from the AR team.  Also, if you or the team recommend that I upgrade my test environment to the latest version, I can try that as well but I am unsure if that will solve this unless they are tracking a known issue.  Thanks for your assistance thus far!

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7c52d56b-7c5a-4457-974b-eb2ffb2e4324n%40googlegroups.com.

[Miguel Angel Cazajous]

Hello Ossim,

If the AR scripts are doing their job the issue seems to be related to the log written in the active-responses.log file. Once you execute the AR check the active-responses.log file and find the entry for that execution.

I'm thinking about these scenarios.
- Your scripts are not logging anything in active-responses.log
- Your active-responses.log is not being monitored, which is strange, it is configured by default.
- The decoder can't decode that log, so the rule is not triggered.

So I would like to ask you if you can check for an entry like this in /var/ossec/etc/ossec.conf file in your manager.

With this, we know the log file is being monitored.

In my case, the log I get for the AR execution is this.


It is possible to check if the log will be decoded and trigger an alert using wazuh-logtest.

[Miguel Angel Cazajous]

One more comment. You may want to take a look at the AR decoders.

https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0010-active-response_decoders.xml

For rule 607 (parent 600) the log generated should match that regex in the ar_log decoder.

So, your scripts should be logging something that the ar_log decoder is capable to decode.

Let me know if this was useful. Have a good day!.