Wazuh Active response not working

[Nepolean]

Dear all,

I was trying to configure a script to run when a rule is fired using active response. I will give the script and configurations down below.

ossec.conf of manager:

  <command>
    <name>add-one</name>
    <executable>custom-script.py</executable>
  </command>

  <active-response>
    <command>add-one</command>
    <location>server</location>
    <rules_id>100100</rules_id>
  </active-response>

script is inside /var/ossec/active-response/bin/ folder of manager.

script is a very simple one which will open a file and write '1' to it and close the file:

file1 = open("test_output.txt", "a")  # append mode
file1.write("1\n")
file1.close()

my rule 100100 is a custom rule with level 3. It is getting fired each time but my srcript is not running. Any idea what is happening?

[Openime Oniagbi]

Hi Nepolean,

Thank you for using Wazuh. I am going to work with you to find the issue.

You mentioned that you placed the active response script on the Wazuh server. If that is true, then it should not be. You need to place the script on the endpoint for which the rule is triggered.

Please see this documentation for how to configure custom active response.

Let me know if you need more clarification or if this resolves the issue.

[Nepolean]

Thanks Openime Oniagbi. But I need it to do the work on my server itself. Thats why I changed location tag from local to server.

[Openime Oniagbi]

Okay, that's noted.

Please show me the content of your /var/ossec/logs/active-responses.log file.

[Nepolean]

Mon Apr 17 06:02:23 UTC 2023 active-response/bin/restart.sh manager
Mon Apr 17 06:11:28 UTC 2023 active-response/bin/restart.sh manager
Mon Apr 17 06:19:21 UTC 2023 active-response/bin/restart.sh manager

[Openime Oniagbi]

That does not contain anything useful. I will run some simulations and get back to you.

[Openime Oniagbi]

Hi,

After working around your script and configuration I found a solution. Change the configuration in your ossec.conf to the following:

  <command>
    <name>add-one</name>
    <executable>custom-script.py</executable>

    <timeout_allowed>yes</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>

    <command>add-one</command>
    <location>server</location>
    <rules_id>100100</rules_id>

    <timeout>30</timeout>
  </active-response>

See this active response documentation for more information on why I have used this configuration.

Next, I also attached a script which I edited because the script you posted does not fulfill the requirements which as the AR documentation says here must include a few steps to be completed by your script if you want to customize active response:

1. Read through STDIN.
2. Parse the read JSON object.
3. Extract the necessary information for its execution.
4. Write STDOUT to send control message to execd.
5. Wait for the response via STDIN.
6. Check the command field.

But if it's stateless, then using 1, 2, and 3 is enough.

The script still achieves what you want (printing 1 to a file). You can find the output text file in the /var/ossec/ directory of your Wazuh server.

I hope this helps.

[Openime Oniagbi]

Please find attached the updated script. I removed the line that prints the log to the file.

[Nepolean]

Thanks Openime, I tried what you have said. It is still not working. We can run active response on the server itself.. right?

[Openime Oniagbi]

Hi,

The configuration is working without any issues on my server. Here is a log for when the active response is triggered:

2023/04/17 18:44:46 wazuh-execd[25140] execd.c:256 at ExecdRun(): DEBUG: Executing command 'active-response/bin/custom-script.py {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2023-04-17T18:44:46.423+0300","rule":{"level":3,"description":"sshd: authentication success.","id":"5715","mitre":{"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"],"technique":["Valid Accounts","Remote Services"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_success"],"gdpr":["IV_32.2"],"gpg13":["7.1","7.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.5"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1681746286.1728705","full_log":"Apr 17 18:44:45 localhost sshd[30665]: Accepted password for root from 192.168.56.1 port 56773 ssh2","predecoder":{"program_name":"sshd","timestamp":"Apr 17 18:44:45","hostname":"localhost"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.1","srcport":"56773","dstuser":"root"},"location":"/var/log/secure"},"program":"active-response/bin/custom-script.py"}}'

To troubleshoot what the issue might be on your end, please add the line execd.debug=1 to your /var/ossec/etc/local_internal_options.conf file. Next, restart your Wazuh manager and simulate the event. Then, check your ossec.log file for any event that is similar to the above. If you see that event, then it means the script is being executed. Check the /var/ossec/ directory for the test_output.txt file which should contain 1 for every time the script runs. If you do not see the result, then the issue is with the script.

If you do not see this line at all, then change the rule ID to 5715 in your configuration, connect via SSH to the Wazuh server, and then repeat the process of looking for the log.

​

[Nepolean]

Openime. First of thanks a lot for taking your time and helping me. I debugged it. I got the below log:

2023/04/18 08:10:01 wazuh-execd[14717] execd.c:484 at ExecdStart(): DEBUG: Executing command 'active-response/bin/custom-script.py {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2023-04-18T08:10:01.600+0000","rule":{"level":7,"description":"Firewall1 suspicious traffic detected","id":"100100","firedtimes":2,"mail":false,"groups":["test"]},"agent":{"id":"001","name":"LAPTOP","ip":"192.168.18.125"},"manager":{"name":"wazuh-server"},"id":"id","full_log":"{\"date\":\"04/18/2023 13:39:58\",\"srcip\":\"192.168.1.007\",\"name\":\"FIREWALL1\",\"status\":\"suspicious\"}","decoder":{"name":"json"},"data":{"srcip":"192.168.1.007","status":"suspicious","date":"04/18/2023 13:39:58","name":"FIREWALL1"},"location":"\\test_log.log"},"program":"active-response/bin/custom-script.py"}}'

But I couldn't say the script is running. I couldn't find it's log in /var/ossec/logs/active-response.log. Log is getting written in /var/ossec/logs/active-response.log when I run the script manually.

[Openime Oniagbi]

Okay. Please show me screenshots of your configuration and the Python script as it is saved on your Wazuh server.

I want to confirm that it is not a syntax error.

[Nepolean]

[Openime Oniagbi]

Okay, it seems the line #!/usr/bin/env python is missing from the first line of your script. Can you add that line in line 1, restart the Wazuh manager and try again?

​

[Nepolean]

That line is there. Sorry it was lost when I croped the image

[Nepolean]

One more log is visible in ossec.log:

2023/04/18 08:10:01 wazuh-execd[14717] execd.c:499 at ExecdStart(): DEBUG: Active response won't be added to timeout list. Message not received with alert keys from script 'active-response/bin/custom-script.py'

[Openime Oniagbi]

Okay.

That log is expected and it is mostly informational. Please show me the content of your /var/ossec/ directory.

​

[Nepolean]

[Openime Oniagbi]

Okay. That shows that the script execution is not working.

Show me the output of the following command: ls -al /var/ossec/active-response/bin/custom-script.py

[Nepolean]

[Openime Oniagbi]

Okay. Your file seems to contain more characters than mine.

Mine: -rwxr-x---. 1 root wazuh 686 Apr 17 21:37 /var/ossec/active-response/bin/custom-script.py

While yours contain 719. I have attached a new file. Please add it to the directory and change the permissions as required. Then, restart your manager and test again.

​

[Nepolean]

I tried it that way, but it is still not working. When I checked the new file it was 709 though.

[Nepolean]

Is there any standard script from wazuh itself which is 100% sure will work with active response, available. If so we could have made sure that the issue is with the script. Here the active response message is coming, I think, which was shown in the ossec.log. But the script is not running. Then isn't there a possibility that script is not able to receive the json message(AR message)? 

[Openime Oniagbi]

Please confirm how you run the script manually. Using python or python3?

[Nepolean]

python3.  I also tried changing shebang like #!/usr/bin/python3

[Openime Oniagbi]

Okay. Please try changing the first line to #!/usr/bin/env python3. I have updated and attached the new file. Ensure to restart the Wazuh manager after making the change. This time it should work.

[Nepolean]

Still Not working.  I will do this from scratch once again. I will get back to you.

[Nepolean]

I tried according to the wazuh documentation custom AR. When I place the script in the agent(as .exe on windows) and configure accordingly AR is working properly. It is not running when I put script as .py file in the /active-response/bin/ folder on the wazuh server and with a configuration accordingly. I tried it in debug mode, ossec.log is showing AR json message and says that AR is executing my script. But the script is not running. Initially I thought it as a permission issue, but I have given permission according to wazuh documentation. chmod 750 and chown root:wazuh. My ossec.conf configuration is as shown.

<command>
    <name>linux-custom-ar</name>
    <executable>custom-ar.py</executable>

    <timeout_allowed>yes</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>

    <command>linux-custom-ar</command>
    <location>server</location>
    <rules_id>5715</rules_id>
    <timeout>60</timeout>
  </active-response>

[Openime Oniagbi]

What version of Wazuh do you have installed?

[Nepolean]

wazuh 4.3.10

[Openime Oniagbi]

Okay. Then, it should work. I have done all the troubleshooting I can do from my end. The only other option is if I take a look at it myself.

[Nepolean]

Script is running when manually run using the command 

python3 custom-ar.py

But its not running when active response is fired(Logs the AR json message in ossec.log when execd.debug=1 in  /var/ossec/etc/local_internal_options.conf  ). What will be the possibilities?

[Openime Oniagbi]

The script might be running into execution errors. This is most likely due to the first line. I don't have Python3 on my Wazuh server, for example, so I had to change the first line accordingly.

[Nepolean]

Hi Openime. I solved the problem. Thanks for your contribution. It was due to the dos file format my script was in. I created it in windows and moved it to linux. When I changed format into Unix active response worked. I think file format messed up the path of interpreter.

[Openime Oniagbi]

That's great to hear!