Active Response Configuration
177 views
Skip to first unread message
Wauh Test
Oct 12, 2021, 1:59:20 AM10/12/21
to Wazuh mailing list
Hi Team,
I am trying to configure active response for triggering script when rule level is 13.
This is the configuration file code :
/var/ossec/etc/ossec.conf
<command>
<name>create-ticket</name>
<executable>/wazuh-jira-ticket-create.sh</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>create-ticket</command>
<location>Server</location>
<level>10</level>
<timeout>600</timeout>
</active-response>
But nothing is happening. I am not able to see any log in active-response.
Could you please assist what is wrong with the configuration?
Regards,
WazuhTest
Alexis Rivas
Oct 12, 2021, 8:36:37 AM10/12/21
to Wazuh mailing list
Hi ! Hope you're doing well.
Starting with your configuration, everything seems to be fine. The slash '/' at /wazuh-jira-ticket-create.sh is not required.
Before working with Active Response, there are few things to clarify:
- Responses are stateful or stateless and therefore we use different configuration for each of them. More info available here: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/how-it-works.html#when-is-an-active-response-triggered.
- Your custom scripts should be properly configured too, depending on AR's state (More info below)
- Make sure your script got execution permission and correct ownership.
- I highly recommend to set execd on debug mode se we can get more information about AR script. To set it up, just edit internal_options.conf at /var/ossec/etc and change execd.debug=0 to execd.debug=2. After trying to trigger AR, take a look with grep execd /var/ossec/logs/ossec.log.
Script:
As the AR documentation says here: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response.html. Your custom script should at least be able to:
1. Read through STDIN.
2. Parse the read JSON object.
3. Extract the necessary information for its execution.
4. Write STDOUT to send control message to execd.
5. Wait for the response via STDIN.
6. Check the command field.
These steps are required if AR is stateful but in the other hand if it's stateless, It's enough with 1, 2 and 3.
You'll need to decide which response model suits you best.
Useful information about states:
- Stateful: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/remediation-configuration.html#active-response-for-a-specified-period-of-time
- Stateless: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/remediation-configuration.html#active-response-that-will-not-be-undone
Hope this information helps.
Regards,
Alexis
Starting with your configuration, everything seems to be fine. The slash '/' at /wazuh-jira-ticket-create.sh is not required.
Before working with Active Response, there are few things to clarify:
- Responses are stateful or stateless and therefore we use different configuration for each of them. More info available here: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/how-it-works.html#when-is-an-active-response-triggered.
- Your custom scripts should be properly configured too, depending on AR's state (More info below)
- Make sure your script got execution permission and correct ownership.
- I highly recommend to set execd on debug mode se we can get more information about AR script. To set it up, just edit internal_options.conf at /var/ossec/etc and change execd.debug=0 to execd.debug=2. After trying to trigger AR, take a look with grep execd /var/ossec/logs/ossec.log.
Script:
As the AR documentation says here: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response.html. Your custom script should at least be able to:
1. Read through STDIN.
2. Parse the read JSON object.
3. Extract the necessary information for its execution.
4. Write STDOUT to send control message to execd.
5. Wait for the response via STDIN.
6. Check the command field.
These steps are required if AR is stateful but in the other hand if it's stateless, It's enough with 1, 2 and 3.
You'll need to decide which response model suits you best.
Useful information about states:
- Stateful: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/remediation-configuration.html#active-response-for-a-specified-period-of-time
- Stateless: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/remediation-configuration.html#active-response-that-will-not-be-undone
Hope this information helps.
Regards,
Alexis
Alexis Rivas
Oct 13, 2021, 8:30:31 AM10/13/21
to Wazuh mailing list
Hi!
As the error says, 'INFO: Active response command not present', seems like this script does not exist under /var/ossec/active-response/bin directory.
And if it's already there, please check correct execution permission and ownership.
Regards,
Alexis
Reply all
Reply to author
Forward
0 new messages