Active Response: Python script with paramiko module
359 views
Skip to first unread message
Heron Michanikus
Feb 13, 2023, 11:40:48 AM2/13/23
to Wazuh mailing list
Hello!
I am trying to write a python script for active response. After a certain rule has appeared, this script will have to connect to the remote host via ssh and get information about the processes.
For remote connection I use the paramiko module.
When I run my script from the terminal to check everything works just fine. But with an active response, this script does not work.
If I remove the "import paramiko" in the Python script, everything works just fine again.
I think there are problems using the paramiko module, but I can't figure out why or how I can change that.
#!/usr/local/bin/python3.10
# -*- coding: utf-8 -*-
import os
import sys
import json
import datetime
import re
import paramiko
For remote connection I use the paramiko module.
When I run my script from the terminal to check everything works just fine. But with an active response, this script does not work.
If I remove the "import paramiko" in the Python script, everything works just fine again.
I think there are problems using the paramiko module, but I can't figure out why or how I can change that.
#!/usr/local/bin/python3.10
# -*- coding: utf-8 -*-
import os
import sys
import json
import datetime
import re
import paramiko
Mauricio Ruben Santillan
Feb 13, 2023, 2:03:31 PM2/13/23
to Wazuh mailing list
Hello Heron,
Have in mind that for Active Response is capable of running scripts on the endpoints and/or in the Wazuh Manager. In order for it to run in your endpoints, the script should be located in the endpoint itself.
So, there would be no need on connecting to it, unless that for some reason you need to run it on your Wazuh Manager instead of your endpoint.
Now because of what you already commented, if by removing the import paramiko, it works it might be a problem with you script's code or maybe you're just missing such module on the server you're trying to run the script. If this was the case, you could install such module in your Wazuh Server (or wherever you're trying to run it).
Also, if you run the script manually, does it run properly?
It would be useful to see the active-response module you've configured in your Wazuh Manager along with the corresponding command module for your script. Also, the log file from the manager (/var/ossec/logs/ossec.log) could provide information if the issue is related to Wazuh. Otherwise, you might need to add some debugging feature to your script.
You can find information about Active Response next:
Looking forward to your comments.
Heron Michanikus
Feb 14, 2023, 4:20:45 AM2/14/23
to Wazuh mailing list
Hello, Mauricio!
Thanks very much for helping.
I used your advice and I was able to solve my problem - I ran script on the endpoints.
Now because of what my previous comment.
I checked my python script many time and did not find errors.
Module paramiko has been installed appropriately.
If I use -
Thanks very much for helping.
I used your advice and I was able to solve my problem - I ran script on the endpoints.
Now because of what my previous comment.
I checked my python script many time and did not find errors.
Module paramiko has been installed appropriately.
If I use -
#!/usr/bin/python10
# -*- coding: utf-8 -*-
# import paramiko
import sys
import json
import datetime
import re
if __name__ == "__main__":
param = sys.stdin.readline()
myfile = open('/home/results.txt', 'a')
myfile.write("\n" + str(datetime.datetime.now()) + "\n")
myfile.write("Hello rule_control.py\n")
myfile.write("JSON: " + param)
myfile.close()
everything work well
But, if I use
#!/usr/bin/python10
# -*- coding: utf-8 -*-
import paramiko
import sys
import json
import datetime
import re
nothing is written to the file
понедельник, 13 февраля 2023 г. в 22:03:31 UTC+3, Mauricio Ruben Santillan:
Mauricio Ruben Santillan
Feb 14, 2023, 9:59:02 PM2/14/23
to Heron Michanikus, Wazuh mailing list
Hi Heron,
I'm glad my response was helpful.
Now about your script, it doesn'l look it's using the paramiko module.
Also I found this module needs to be installed. Have you?
In any case, you should check the error the script shows when running it with import paramiko.
I found a blog post that shows an example of how to us this module here:https://linuxhint.com/paramiko-python/
I hope it helps!
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d4b6d204-89c8-44a7-863d-dab72e2f6006n%40googlegroups.com.
--
 | Mauricio Santillan IT Security Engineer - Support DRI |
Reply all
Reply to author
Forward
0 new messages