Configuring custom active response
229 views
Skip to first unread message
Renat Ondar
Aug 28, 2024, 11:13:01 AM8/28/24
to Wazuh | Mailing List
Hello, team!
Im trying to configure active response. I have 1 master server and 2 worker servers. I have script in powershell that sends syslog from Windows endpoint to wazuh worker server while triggered. I found out that file with .ps1 extension dont work and in C:\Program Files (x86)\ossec-agent\active-response\bin\ directory must be only .cmd or .exe type files. I have created my script in .exe extension and put it to directory C:\Program Files (x86)\ossec-agent\active-response\bin\.
Server side:
So I have configured active response section in ossec.conf on my wazuh master server as is below:
<command>
<name>command</name>
<executable>SID.exe</executable>
</command>
<active-response>
<disabled>no</disabled>
<command>command</command>
<location>all</location>
<rules_id>60122</rules_id>
<timeout>60</timeout>
</active-response>
60122 rule is authentication failure event that must trigger my active response script.
Workstation side:
I put my script with .exe extension and put it to directory C:\Program Files (x86)\ossec-agent\active-response\bin\.
I have configured C:\Program Files (x86)\ossec-agent\ossec.conf as is below:
<!-- Active response -->
<active-response>
<disabled>no</disabled>
<command>
<name>command</name>
<executable>SID.exe</executable>
<location>all</location>
<timeout_allowed>60</timeout_allowed>
</command>
<ca_store>wpk_root.pem</ca_store>
<ca_verification>yes</ca_verification>
</active-response>
Nothing works. Rule 60122 doesnt trigger my active respinse script.
- I have restarted all services (agent, wazuh-manager).
- Checked files permissions. As I understood, active response scripts runs by system user. So system user have full permissions.
- Reviewed logs C:\Program Files (x86)\ossec-agent\active-response\active-response.log. There is nothing about my active response.
You can see screenshot in attachments.
Thank you in advance. I will be glad to hear feedback from you.
Im trying to configure active response. I have 1 master server and 2 worker servers. I have script in powershell that sends syslog from Windows endpoint to wazuh worker server while triggered. I found out that file with .ps1 extension dont work and in C:\Program Files (x86)\ossec-agent\active-response\bin\ directory must be only .cmd or .exe type files. I have created my script in .exe extension and put it to directory C:\Program Files (x86)\ossec-agent\active-response\bin\.
Server side:
So I have configured active response section in ossec.conf on my wazuh master server as is below:
<command>
<name>command</name>
<executable>SID.exe</executable>
</command>
<active-response>
<disabled>no</disabled>
<command>command</command>
<location>all</location>
<rules_id>60122</rules_id>
<timeout>60</timeout>
</active-response>
60122 rule is authentication failure event that must trigger my active response script.
Workstation side:
I put my script with .exe extension and put it to directory C:\Program Files (x86)\ossec-agent\active-response\bin\.
I have configured C:\Program Files (x86)\ossec-agent\ossec.conf as is below:
<!-- Active response -->
<active-response>
<disabled>no</disabled>
<command>
<name>command</name>
<executable>SID.exe</executable>
<location>all</location>
<timeout_allowed>60</timeout_allowed>
</command>
<ca_store>wpk_root.pem</ca_store>
<ca_verification>yes</ca_verification>
</active-response>
Nothing works. Rule 60122 doesnt trigger my active respinse script.
- I have restarted all services (agent, wazuh-manager).
- Checked files permissions. As I understood, active response scripts runs by system user. So system user have full permissions.
- Reviewed logs C:\Program Files (x86)\ossec-agent\active-response\active-response.log. There is nothing about my active response.
- Checked 60122 rule activation on my Windows Workstation.
- Checked logs /var/ossec/logs/ossec.log on my wazuh master server. There is nothing about active response. No any of errors.
I can see that in my Wazuh dashboard - Settings - Configuration - System threats and incident response - Active Response there is folder of my command and in field "Status of this active response" is value "disabled". I cant understand why this value is disabled event tho I have marked field <disabled>no</disabled> in my active-response section.
- Checked logs /var/ossec/logs/ossec.log on my wazuh master server. There is nothing about active response. No any of errors.
I can see that in my Wazuh dashboard - Settings - Configuration - System threats and incident response - Active Response there is folder of my command and in field "Status of this active response" is value "disabled". I cant understand why this value is disabled event tho I have marked field <disabled>no</disabled> in my active-response section.
You can see screenshot in attachments.
Thank you in advance. I will be glad to hear feedback from you.
Mauricio Ruben Santillan
Aug 29, 2024, 8:42:52 AM8/29/24
to Wazuh | Mailing List
Hello Renat,
Many things about what you reported here.
1. The rules that Wazuh includes for Windows events will only work if you send the events using a Wazuh Agent. Sending the events using another method (like syslog) will change their format, thus, Wazuh's default ruleset for Windows events will nto match any event. You need to either use the agent or create custom decoders and rules for your events.
2. Did you follow our documentation to create your custom script for Active Response? https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response-scripts.html (Starting in Wazuh 4.2.x Wazuh changed the way it send the alert data to the script)
3. Both the command module and the active-response module need to be added into the Wazuh manager's ossec.conf file. The agent does not need any module on its settings for AR.
4. The command section inside the active-response module should only contain the name of the command module you added for your script. Not the entire module again inside AR.
5. The log file C:\Program Files (x86)\ossec-agent\active-response\active-response.log will only show information from your script, if your script is configured to log events there. Otherwise, such log file will not show any activity from your custom AR. You should check both the agents and your manager's log files (
C:\Program Files (x86)\ossec-agent\active-response\ossec.log in the agent and /var/ossec/logs/ossec.log in your manager). If there was an issue executing your custom script, it should be shown on the agent's log file.
6. You have configured AR as follows:
<command>
<name>command</name>
<executable>SID.exe</executable>
</command>
<active-response>
<disabled>no</disabled>
<command>command</command>
<location>all</location>
<rules_id>60122</rules_id>
<timeout>60</timeout>
</active-response>
<name>command</name>
<executable>SID.exe</executable>
</command>
<active-response>
<disabled>no</disabled>
<command>command</command>
<location>all</location>
<rules_id>60122</rules_id>
<timeout>60</timeout>
</active-response>
<location>all</location>: Will make the manager to execute the script in ALL YOUR AGENTS. Thus, all your agents will need to have the script to run it.
I hope this helps!
Renat Ondar
Aug 30, 2024, 5:06:07 AM8/30/24
to Wazuh | Mailing List
Hello, thank you for your answer.
I have a suitable decoder for syslog events. I have already tested my script. The script sends syslog to the worker. This syslog event is then pushed to the indexer. This way you can see the event in the Wazuh Dashboard.
Yes, I followed the documentation. Editing the active-response section in the config on the agent is really unnecessary. Thanks.
I have a few questions:
1) the command module and the active-response module are placed in wazuh MASTER manager's ossec.conf file. Tell me, shouldn't the ossec.conf file be edited the same way on the Worker manager server? Because the script sends events to the Worker server.
2) Can you tell me why in Wazuh dashboard - Settings - Configuration - System threats and incident response - Active Response in field “Status of this active response” is value “disabled”? How to fix it?
3) Is it possible to start active response manually using agent_control utility on wazuh master manager?
I can't figure out how to apply the -f <ar> attribute. In picture below said "used with -b"
Does this mean that I should write command "/var/ossec/bin/agent_control -fb powershell_script0 -u 103" to start my script mannualy on agent?
That is my available active responses in picture below:
I have a suitable decoder for syslog events. I have already tested my script. The script sends syslog to the worker. This syslog event is then pushed to the indexer. This way you can see the event in the Wazuh Dashboard.
Yes, I followed the documentation. Editing the active-response section in the config on the agent is really unnecessary. Thanks.
I have a few questions:
1) the command module and the active-response module are placed in wazuh MASTER manager's ossec.conf file. Tell me, shouldn't the ossec.conf file be edited the same way on the Worker manager server? Because the script sends events to the Worker server.
2) Can you tell me why in Wazuh dashboard - Settings - Configuration - System threats and incident response - Active Response in field “Status of this active response” is value “disabled”? How to fix it?
3) Is it possible to start active response manually using agent_control utility on wazuh master manager?
I can't figure out how to apply the -f <ar> attribute. In picture below said "used with -b"
Does this mean that I should write command "/var/ossec/bin/agent_control -fb powershell_script0 -u 103" to start my script mannualy on agent?
That is my available active responses in picture below:
Thank you in advance. I will be glad to hear feedback from you.
четверг, 29 августа 2024 г. в 15:42:52 UTC+3, Mauricio Ruben Santillan:
Renat Ondar
Sep 5, 2024, 6:16:57 AM9/5/24
to Wazuh | Mailing List
Hello team!
Im still facing same issues. Could you kinldy reply me to my previous questions?
Thank you in advance. I will be glad to hear feedback from you.
Im still facing same issues. Could you kinldy reply me to my previous questions?
Thank you in advance. I will be glad to hear feedback from you.
пятница, 30 августа 2024 г. в 12:06:07 UTC+3, Renat Ondar:
Mauricio Ruben Santillan
Sep 6, 2024, 3:28:37 PM9/6/24
to Wazuh | Mailing List
Hello Renat,
Answering your questions in your previous message:
1) the command module and the active-response module are placed in wazuh MASTER manager's ossec.conf file. Tell me, shouldn't the ossec.conf file be edited the same way on the Worker manager server? Because the script sends events to the Worker server.
Yes. All nodes should contain both, the command and the active-response modules. Otherwise only the agents connected to the nodes that do have them will get the AR execution.
2) Can you tell me why in Wazuh dashboard - Settings - Configuration - System threats and incident response - Active Response in field “Status of this active response” is value “disabled”? How to fix it?
Most likely due a wrong configuration. Can you share how you finally configured both modules?
3) Is it possible to start active response manually using agent_control utility on wazuh master manager?
I can't figure out how to apply the -f <ar> attribute. In picture below said "used with -b"
I can't figure out how to apply the -f <ar> attribute. In picture below said "used with -b"
The "agent_control" binary is run on the manager. It needs AR to be properly configured in your manager and the script to be already placed in your agent. Also, you need to run an executable file. Not a Powershell script.
Take into account that for AR to work, you custom script needs to fulfill all the requirements documented here: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response-scripts.html
Renat Ondar
Sep 13, 2024, 7:02:49 AM9/13/24
to Wazuh | Mailing List
Hello. Thank you for your answer.
I have partly succeded in configuring active response for now. Here is my AR section below:
<command>
<name>powershell_script</name>
<executable>SID.exe</executable>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>powershell_script</command>
<location>local</location>
<rules_id>60137,60106,</rules_id>
</active-response>
I did three things, that worked for me.
1) configured on worker server ossec.conf file same like on master server;
2) On wazuh agent on my windows endpoint I have deleted two CA lines in active response module in config file ossec.conf
<active-response>
I have partly succeded in configuring active response for now. Here is my AR section below:
<command>
<name>powershell_script</name>
<executable>SID.exe</executable>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<location>local</location>
<rules_id>60137,60106,</rules_id>
</active-response>
I did three things, that worked for me.
1) configured on worker server ossec.conf file same like on master server;
2) On wazuh agent on my windows endpoint I have deleted two CA lines in active response module in config file ossec.conf
<active-response>
<disabled>no</disabled>
<ca_store>wpk_root.pem</ca_store>
<ca_verification>yes</ca verification>
</active-response>
3) Configured agent.conf file of Windows group as below:
<localfile>
<log_format>full_command</log_format>
<command>"C:\Program Files (x86)\ossec-agent\active-response\bin\SID.exe"</command>
</localfile>
After that, my AR worked, but it worked only once. I cant trigger AR again by triggering this wazuh rules 60137,60106. I cant understand why. Is there any timing restrictions?
3) Configured agent.conf file of Windows group as below:
<localfile>
<log_format>full_command</log_format>
<command>"C:\Program Files (x86)\ossec-agent\active-response\bin\SID.exe"</command>
</localfile>
After that, my AR worked, but it worked only once. I cant trigger AR again by triggering this wazuh rules 60137,60106. I cant understand why. Is there any timing restrictions?
Thank you in advance. I will be glad to hear feedback from you.
пятница, 6 сентября 2024 г. в 22:28:37 UTC+3, Mauricio Ruben Santillan:
Message has been deleted
Renat Ondar
Sep 16, 2024, 7:21:39 AM9/16/24
to Wazuh | Mailing List
Hello team!
Im still facing same issues. Could you kinldy tell me what do I have to configure?
Thank you in advance. I will be glad to hear feedback from you.
Im still facing same issues. Could you kinldy tell me what do I have to configure?
Thank you in advance. I will be glad to hear feedback from you.
пятница, 13 сентября 2024 г. в 14:02:49 UTC+3, Renat Ondar:
Renat Ondar
Sep 23, 2024, 8:24:29 AM9/23/24
to Wazuh | Mailing List
Hello team!
Im still facing same issues. Could you kinldy tell me what do I have to configure?
Thank you in advance. I will be glad to hear feedback from you.
Im still facing same issues. Could you kinldy tell me what do I have to configure?
Thank you in advance. I will be glad to hear feedback from you.
понедельник, 16 сентября 2024 г. в 14:21:39 UTC+3, Renat Ondar:
Renat Ondar
Sep 23, 2024, 8:37:12 AM9/23/24
to Wazuh | Mailing List
My wazuh version is 4.8
понедельник, 23 сентября 2024 г. в 15:24:29 UTC+3, Renat Ondar:
Reply all
Reply to author
Forward
0 new messages