active-response issue after upgrade

[joh nte]

Hi,

i've recently upgraded my wazuh to version 4.4, however it seems like all the command of the active-response doesn't work anymore, more specifically, it seems like they doesn't take parameters.

For Example, this is my firewall-drop configuration in the ossec.conf:

  <command>
    <name>firewalld-drop</name>
    <executable>firewalld-drop.sh</executable>
    <!--deprecated <expect>srcip</expect> deprecated-->
    <timeout_allowed>yes</timeout_allowed>
  </command>  

  <active-response>
    <disabled>no</disabled>
    <command>firewall-drop</command>
    <location>local</location>
    <rules_id>101000,101004</rules_id>
<!--    <timeout>30</timeout> -->
  </active-response>

Reviewing the log after a rule trigghered i see this:
input: tail -n100 /var/ossec/logs/active-responses.log

output: active-response/bin/firewall-drop.sh

So, as you can see, there is no parameters (in this case an IP) as it should be.

Like this one, other command doesn't seems to take parameters, for example, sendmail.sh works but in the message i recive there's text but no parameters:

#!/bin/bash

SUBJECT="Wazuh notification - ACTIVE RESPONSE fired for $6"
BODY="""Wazuh Notification.
The following information are related to ACTIVE RESPONSE rules that trigger a effective block for IP $3 on host $6!
$(TZ="Europe/Amsterdam" date "+%Y %h %d %H:%M:%S")

Received From Manager: ACTIVE RESPONSE fired for $6

Script Name: $0
SRC IP: $3
Rule ID: $5
Agent Name: $6
Log File: $7

 --END OF NOTIFICATION
"""
echo -e "$BODY" | mail -s "$SUBJECT" -r "wa...@mail.com" mye...@mail.com

and there's the email's message i recive:

Wazuh Notification.

The following information are related to ACTIVE RESPONSE rules that trigger a effective block for IP  on host !

2023 Jun 29 10:35:31

 Received From Manager: ACTIVE RESPONSE fired for

 Script Name: active-response/bin/sendmail.sh SRC IP:

Rule ID:

Agent Name:

Log File:

  --END OF NOTIFICATION

So, no parameters here as well.

Am i missing somethings?

Could someone help me solve the problem?

thank you in advance,

Joh

[Cedrick Foko]

Hello Joh,

Thank you for your interest to Wazuh,

I'll help you solving this problem.

Kindly share with me your custom rule and the alert log so I can replicate this in lab. 

Looking forward to your response,

[joh nte]

Hi Cedrick

Thank you very much for the responde.
Here's the custom rules related to firewall-drop:

  <rule id="101000" level="10">
    <if_group>win_authentication_failed|windows_security|web|accesslog|attack|attaks|syslog|authentication_failed|postfix|access_control|nginx|authentication_failures|recon|web_scan|appsec|attacks|adduser|sshd|apache|invalid_login|service_availability|sqlinjection</if_group>
    <list field="srcip" lookup="address_match_key">blacklists/global-blacklist</list>
    <description>ACTIVE RESPONSE enabled - Source IP in black list.</description>
  </rule>
 
  <rule id="101004" level="14">
    <if_sid>3357,3351,3301</if_sid>
    <hostname>hostname1</hostname>
    <description>ACTIVE RESPONSE enabled - SASL attacks - firewall-drop - no-timeout</description>
  </rule>

Now that you point it out, going to look at the logs.

tail active-responses.log
..
Wed Jun 28 14:09:02 CEST 2023 active-response/bin/restart.sh agent
Wed Jun 28 14:12:18 CEST 2023 active-response/bin/restart.sh agent
Wed Jun 28 14:14:25 CEST 2023 active-response/bin/restart.sh agent
Wed Jun 28 15:48:12 CEST 2023 active-response/bin/restart.sh agent
Wed Jun 28 16:14:34 CEST 2023 active-response/bin/restart.sh agent
Thu Jun 29 10:05:01 CEST 2023 active-response/bin/restart.sh agent
Thu Jun 29 10:50:00 CEST 2023 active-response/bin/restart.sh agent

I don't notice any events in the last few days although I'm sure there have been a lot.

[Cedrick Foko]

Hello Joh, 

The logs in active-response.log file show that the active-response is not working at all.

While reviewing your configuration, I can notice you made some mistakes in the <command> bloc:

• You specified the executable as firewalld-drop.sh instead of firewall-drop (the extension is not needed)
• The name of your command is firewalld-drop but in the <active-response> bloc, you are trying to use the firewall-drop command.

You should change the <command> bloc to this:

<command>
    <name>firewall-drop</name>

    <executable>firewall-drop</executable>

    <!--deprecated <expect>srcip</expect> deprecated-->
    <timeout_allowed>yes</timeout_allowed>
  </command>  

References: Blocking SSH brute-force attack with active response - Use cases (wazuh.com)

I hope this solves the issue. Please let me know if you find any other issue.

[joh nte]

Hi Cedrick,

yes your're right, i've pasted the wrong <command>, the right one is:

  <command>
    <name>firewalld-drop</name>
    <executable>firewall-drop.sh</executable>

    <!--deprecated <expect>srcip</expect> deprecated-->
    <timeout_allowed>yes</timeout_allowed>
  </command>  

So without the "D" and point to an executable named firewall-drop.sh that, in previous version, worked just fine.

However, i think the problem is the variables that should be passed.

Take for example the sendmail.sh

It "works", the command is trigghered, but variables such as srcip, hostname, rule.id etc. are not passed.

This is evidenced by the fact that the e-mail is sent but does not contain the variables.

I believe the same problem is related to firewall-drop.sh; the command is invoked but the IP that should go to block is not passed.

Probably if we could figure out why variables are not passed to bash scripts we would solve the problem.

Thank you very much for your response, very appreciated

[joh nte]

*
  <command>
    <name>firewall-drop</name>

    <executable>firewall-drop.sh</executable>

    <!--deprecated <expect>srcip</expect> deprecated-->
    <timeout_allowed>yes</timeout_allowed>
  </command>