Custom Active Response script not working

[Steve O'Brien]

I created a python active response script that I want called when a custom rule is triggered.

I added this to the manager config:

  <command>
    <name>paloalto-block_ip-rule</name>
    <executable>paloalto-block_ip-rule</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

<active-response>
    <command>paloalto-block_ip-rule</command>
    <location>local</location>
    <rules_id>100008</rules_id>
 </active-response>

However when rule 100008 is triggered I am not seeing the active response in the /var/ossec/logs/active-responses.log.  I have another active response configured that triggers on rules groups that are associated with the 100008 rule id:

  <active-response>
    <command>firewalld-drop</command>
    <location>local</location>
    <rules_group>attack|authentication_failures|authentication_failed</rules_group>
    <level>10</level>
    <repeated_offenders>20,60,1440</repeated_offenders>
  </active-response>

and I see those trying to trigger firewall-drop:

2023/05/09 01:43:09 active-response/bin/firewalld-drop:  {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{redacted log message}

Am I doing something wrong? 

Made sure to follow the manual

sudo chmod 750 /var/ossec/active-response/bin/<CUSTOM_SCRIPT>
sudo chown root:wazuh /var/ossec/active-response/bin/<CUSTOM_SCRIPT>

[Nico Brambilla]

Hi Steve O'Brien thanks for trusting wazuh.

I think these links could be useful :
- How to set integrator.debug=2

- Active responses and possible configurations

Please take a look at these notes of the active-response link that I shared with you :

> Note To avoid partial matches, add a comma at the end of the group string. For example, <rules_group>group_a,|group_b,|group_c,</rules_group> Also, check that the rule group in your rule definitions ends with a comma as well. This is usually the case in the Wazuh default ruleset. For example, <group>group_b,</group>.

Not ending the group string with a comma implies that the group string is a substring open for partial matches. For example, the group string authentication matches rule groups authentication, authentication_success, and authentication_failure while the group string authentication, matches only rule group authentication.

> Note

 

When setting level, rules_group, and rules_id together, the active response will be triggered always that any rule matches with one of these options. In other words, they are accumulative options, not restrictive.

Please, set integrator.debug=2 and share these logs with me so I can help you.

I will be looking forward to hearing from you

Best Regards

Nicolás Brambilla

[Steve O'Brien]

Thanks Nico,

Do I set integrator.debug=2 on the client /var/ossec/etc/internal_options.conf or the server?

What file does that log to?

Steve O'Brien | Senior Network Administrator

National Solar Observatory

Daniel K. Inouye Solar Telescope Project

22 Ohi’a Ku Street, Pukalani, HI 96768

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/QMmb5z8W63E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d06beb06-a799-4ce1-b4c4-4bc62681235en%40googlegroups.com.

[Steve O'Brien]

Hey Nico,

Just wondering if you are going to respond or if I should ask the group again?

Steve O'Brien | Senior Network Administrator

National Solar Observatory

Daniel K. Inouye Solar Telescope Project

22 Ohi’a Ku Street, Pukalani, HI 96768

[Nico Brambilla]

Thanks Steve , sorry for the late of my response. 

You need to set up integrator.debug=2  on /var/ossec/etc/internal_options.conf on the wazuh-server .

I will keep waiting for your answer.

Cheers

Nico B.

[Jamie Navarro]

Hi Steve,

I'm in no way qualified to give you an intelligent answer as I'm super new to Wazuh. However, I was just trying to set up Active Response on my new Wazuh system with a Python script too. But I was having issues with it not firing. It wasn't until I added the extension .py to the 'executable' tag would it work.

So just for the heck of it, maybe try changing:

<executable>paloalto-block_ip-rule</executable>

to:

<executable>paloalto-block_ip-rule.py</executable>

So that it matches your Python script's filename exactly.

(Don't forget to restart the wazuh-manager after making that change, if you decide to follow silly idea ;) )

Jamie

[Steve O'Brien]

Hi Nico,

Still wondering what log file on the wazuh-manager to look at for  integrator.debug=2 messages.

Steve O'Brien | Senior Network Administrator

National Solar Observatory

Daniel K. Inouye Solar Telescope Project

22 Ohi’a Ku Street, Pukalani, HI 96768

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c1e53a56-6f97-44a2-9704-b1c5f4a3edc5n%40googlegroups.com.

[Nico Brambilla]

Hi Steve.. 

You need to check `ossec.log` (on default installation is under `/var/ossec/logs/ossec.log` ) and additionally if you're setting an integration you need to check `/var/ossec/logs/integration.log`.  

In addition to that,  Jamie Navarro is pointing out something that is true. You need to put the extension on the <executable> tags as he said : 

So just for the heck of it, maybe try changing:

<executable>paloalto-block_ip-rule</executable>

to:

<executable>paloalto-block_ip-rule.py</executable>

So that it matches your Python script's filename exactly.

(Don't forget to restart the wazuh-manager after making that change, if you decide to follow silly idea ;) )

Best Regards

Nico B.

[Nico Brambilla]

Hi Steve, did you could resolve the main issue ? 

Best regards

Nico B.