Using SCP in Active responses

55 views
Skip to first unread message

Felix Kodzasov

unread,
Sep 22, 2023, 2:32:52 AM9/22/23
to Wazuh | Mailing List
Colleagues, good afternoon!
Could you please tell me if it is possible to use scp utility in custom active responses (passing an argument there) The main idea is to pull any file from endpoints for IS analysts?

Md. Nazmur Sakib

unread,
Sep 22, 2023, 3:27:46 AM9/22/23
to Wazuh | Mailing List

Hi Felix Kodzasov,


Hope you are doing Well. Thank you for using Wazuh.


I believe it is possible to scp utility in custom active responses. You can create custom active response scripts that execute when an alert of a specific rule ID, alert level, or rule group triggers. A trigger initiates the script using a defined command. An active response configuration determines when and where the command executes. You need to 

specify your scp command script inside the <executable> section of <command> block


<!-- For Unix systems -->

<command>

  <name>scp_command</name>

  <executable>custom_script</executable>

  <extra_args>arg1 arg2 arg3</extra_args>

  <timeout_allowed>yes</timeout_allowed>

</command>

Check this document to learn more:

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/commands.html


Then you need to specify when you need to execute the custom scp command.

 

<active-response>

  <disabled>no</disabled>

  <command>scp_command</command>

  <location>defined-agent</location>

  <agent_id>032</agent_id>

  <rules_id>99999<rules_id>

</active-response>



Check this document to learn more:

https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html


Please let me know if this helps or if you need any further information related to this.


Regards

Md. Nazmur Sakib

Reply all
Reply to author
Forward
0 new messages