Active response stop-ossec agent

[Adiel Jesus Navarro Rosado]

I create a new command and a new active response called stop-ossec.

 

 

The script stop-ossec.sh is a copy of restart-ossec.sh, Only changed the command /bin/ossec-control restart for /bin/ossec-control stop

 

 

I added the active response on ossec.conf

 

 

The idea is when de rule id 140128 (check filesystem) is fired, the ossec agent in the location alerted must be stopped.

 

 

 

But it doesn’t works, The agent still alive….

 

[Adiel Jesus Navarro Rosado]

OSSEC Server: ossec-execd is running…

 

 

 

OSSEC Agent: ossec-execd is running too…

 

[Adiel Jesus Navarro Rosado]

I have to configure the active response on the Server or when the agent is installed?

[Chema Martinez]

Hi Adiel,

Let me try to help you with this issue. It seems the configuration is correct, both sections of the configuration "<command>" and "<active-response>" have to be set on the manager side.

Apart from that, could you ensure that your rule "140128" is working properly? and it is triggering the corresponding alerts?

I also recommend you to check if your custom script "stop-ossec.sh" is located in the path "/var/ossec/active-response/bin" in the agent that will run the script.

I hope it helps.

Best regards,

Chema.

Chema Martinez | IT Engineer — Wazuh, Inc.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c3c5ed638fb147178bb1cdcad4cc9016%40RLEXTL04.amx.net.

For more options, visit https://groups.google.com/d/optout.

[Adiel Jesus Navarro Rosado]

Its correct, Chema:

 

The command and active response are set on the manager side

 

The rule 140128 works fine

 

The script is located in /active-response/bin in the agent.

 

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

[Adiel Jesus Navarro Rosado]

The only diff I see, is about the group.

 

Until stop-ossec.sh have the next:

 

 

The rest of the scripts have:

 

 

 

 

De: Adiel Jesus Navarro Rosado
Enviado el: jueves, 17 de mayo de 2018 09:33 a.m.
Para: 'Chema Martinez'
CC: wa...@googlegroups.com
Asunto: RE: Active response stop-ossec agent

 

Its correct, Chema:

 

The command and active response are set on the manager side

 

The rule 140128 works fine

 

The script is located in /active-response/bin in the agent.

 

 

 

 

De: Chema Martinez [mailto:chema.m...@wazuh.com]
Enviado el: jueves, 17 de mayo de 2018 06:40 a.m.
Para: Adiel Jesus Navarro Rosado
CC: wa...@googlegroups.com
Asunto: Re: Active response stop-ossec agent

 

Hi Adiel,

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

[Chema Martinez]

Have you tried changing the group of the script to "ossec"?

If it is not still working, check if you get any error in the file "/var/ossec/logs/active-response.log" and also in the "/var/ossec/logs/ossec.log" from the "execd" daemon.

You can try the following commands:

# cat /var/ossec/logs/ossec.log | grep "execd" | grep "ERROR" 

Chema Martinez | IT Engineer — Wazuh, Inc.

Hi Adiel,

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

[Adiel Jesus Navarro Rosado]

Yes. I changed it, but not working yet…

 

 

 

Checking the logs:

 

On Server.

 

 

On Agent

Active-response.log doesn’t exist

 

 

 

 

 

 

De: Chema Martinez [mailto:chema.m...@wazuh.com]
Enviado el: jueves, 17 de mayo de 2018 11:02 a.m.
Para: Adiel Jesus Navarro Rosado
CC: wa...@googlegroups.com
Asunto: Re: Active response stop-ossec agent

 

Have you tried changing the group of the script to "ossec"?

Hi Adiel,

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

[Chema Martinez]

Hi again, 

I have tried to reproduce the issue following your steps without success, the active response runs correctly. Here you have my configuration:

On the manager side:

<command>

    <name>stop-ossec</name>

    <executable>stop-ossec.sh</executable>

    <expect></expect>

</command>

<active-response>

    <disabled>no</disabled>

    <command>stop-ossec</command>

    <location>local</location>

    <rules_group>ossec</rules_group>

    <rules_id>503</rules_id>

</active-response>

After restarting the manager and create the "stop-ossec.sh" script in the agent side, when I restart the agent (triggering the alert with ID 503) the agent stops suddenly, and the following line appears in the "active-response.log" file:

localhost logs # cat active-responses.log

vie may 18 01:23:36 PDT 2018 /var/ossec/active-response/bin/stop-ossec.sh add - - 1526631816.17830 503

Could you show me what version of Wazuh are you using? You can check that information in the file "/etc/ossec-init.conf".

Thank you.

Chema Martinez | IT Engineer — Wazuh, Inc.

Hi Adiel,

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

[Adiel Jesus Navarro Rosado]

Hi Chema

 

I probe directly in the Manager and works fine.

 

The node when I have installed the agent is a  VM installed in a PC.

Do you thing this affect?

 

 

 

De: Chema Martinez [mailto:chema.m...@wazuh.com]
Enviado el: viernes, 18 de mayo de 2018 03:31 a.m.
Para: Adiel Jesus Navarro Rosado
CC: wa...@googlegroups.com
Asunto: Re: Active response stop-ossec agent

 

Hi again, 

Hi Adiel,

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

[Adiel Jesus Navarro Rosado]

The VM is Centos 6.7

The agent is Ossec 2.8.3

 

 

 

 

De: Adiel Jesus Navarro Rosado

Enviado el: viernes, 18 de mayo de 2018 10:03 a.m.
Para: 'Chema Martinez'
CC: wa...@googlegroups.com
Asunto: RE: Active response stop-ossec agent

Importancia: Alta

 

Hi Chema

 

I probe directly in the Manager and works fine.

 

The node when I have installed the agent is a  VM installed in a PC.

Do you thing this affect?

 

 

 

De: Chema Martinez [mailto:chema.m...@wazuh.com]
Enviado el: viernes, 18 de mayo de 2018 03:31 a.m.
Para: Adiel Jesus Navarro Rosado
CC: wa...@googlegroups.com
Asunto: Re: Active response stop-ossec agent

 

Hi again, 

Hi Adiel,

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

[Chema Martinez]

Hi Adiel,

It doesn`t matter that the agent is installed in a VM, but it is an important point the fact you are using Ossec 2.8.3 in your agent.

I have reproduced your issue and to make active-response work in that version, you have to add the <timeout_allowed> option in the "command" configuration. Just as follows:

<command>

    <name>stop-ossec</name>

    <executable>stop-ossec.sh</executable>

    <timeout_allowed>no</timeout_allowed>

    <expect></expect>

</command>

After adding that line in the ossec.conf of your manager, you should be able to run the active-response in the agent when the specified rule is triggered.

Please, let me know if it works for you.

Best regards,

Chema.

Chema Martinez | IT Engineer — Wazuh, Inc.

Hi Adiel,

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

[Adiel Jesus Navarro Rosado]

NO Chema.

 

The agent still running…

 

 

 

 

De: Chema Martinez [mailto:chema.m...@wazuh.com]
Enviado el: lunes, 21 de mayo de 2018 03:44 a.m.
Para: Adiel Jesus Navarro Rosado
CC: wa...@googlegroups.com
Asunto: Re: Active response stop-ossec agent

 

Hi Adiel,

 

It doesn`t matter that the agent is installed in a VM, but it is an important point the fact you are using Ossec 2.8.3 in your agent.

Hi Adiel,

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

[Chema Martinez]

Hi Adiel,

Sorry for the late response, could you solve your issue?

I have tested it again using Ossec v2.8.3 as agent and it worked fine for me setting the configuration we were talking about.

I attach my "stop-ossec.sh" script if it useful for you.

Best regards,

Chema. 

Chema Martinez | IT Engineer — Wazuh, Inc.

Hi Adiel,

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.