Unable to parse json from active response script
156 views
Skip to first unread message
BD
Oct 1, 2023, 7:58:43 AM10/1/23
to Wazuh | Mailing List
Hello,
When an active response is fired , the command is sent to the target wazuh agent with the json alert in stdin. when I parse it with jq in bash, it can't interpret it because the json contains a complete json as object for "previous_output":
"previous_output":"{"reqId":"vzG1uznSRYwQ9R","....",".....
it read the { as value, so this output :
parse error: Invalid numeric literal at line 1, column 530
How do you deal with this please?
Thanks
Regards
When an active response is fired , the command is sent to the target wazuh agent with the json alert in stdin. when I parse it with jq in bash, it can't interpret it because the json contains a complete json as object for "previous_output":
"previous_output":"{"reqId":"vzG1uznSRYwQ9R","....",".....
it read the { as value, so this output :
parse error: Invalid numeric literal at line 1, column 530
How do you deal with this please?
Thanks
Regards
elw...@wazuh.com
Oct 2, 2023, 7:24:24 AM10/2/23
to Wazuh | Mailing List
Hello Bryan,
Can you please share the full JSON alert and the AR script you use for parsing? To be able to test it on my end.
Regards,
Wali
Can you please share the full JSON alert and the AR script you use for parsing? To be able to test it on my end.
Regards,
Wali
BD
Oct 2, 2023, 12:16:47 PM10/2/23
to Wazuh | Mailing List
Hello Wali,
you can try to echo the json piped in jq .you will get an error because the json is included in parent json for "previous-output"previous output contains the 2 last fired rule alert because mine is triggered only when the other is fired 3 timesThis would mean that we cannot parse any json file from an alert that would be triggered by a log line already in json format? I can't believe the developers forgot this detail, I must have missed something...
thanks regards
of course, here is the json send with the active response i cant parse:
{"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2023-10-02T15:54:58.461+0000","rule":{"level":5,"description":"sshd: authentication failed","id":"119999","frequency":3,"firedtimes":1,"mail":false,"groups":["local","syslog","sshd","authentication_failed"],"pci_dss":["10.2.4","10.2.5"]},"agent":{"id":"005","name":"server","ip":"111.111.111.111"},"manager":{"name":"suricate"},"id":"1696262098.4657309","previous_output":"{"reqId":"Y7pWv2x5b1vQzqWow1Qu","level":2,"time":"2023-10-02T17:54:54+02:00","remoteAddr":"222.222.222.222","user":"--","app":"core","method":"POST","url":"/index.php/login?user=root","message":"Login failed: 'root' (Remote IP: '222.222.222.222')"}n{"reqId":"j2zF5LRCxQgALLkT6w58","level":2,"time":"2023-10-02T17:54:51+02:00","remoteAddr":"222.222.222.222","user":"--","app":"core","method":"POST","url":"/index.php/login?user=root","message":"Login failed: 'root' (Remote IP: '222.222.222.222')"}","full_log":"{"reqId":"M1xhbTkx2gH5iwxvD1lg","level":2,"time":"2023-10-02T17:54:57+02:00","remoteAddr":"222.222.222.222","user":"--","app":"core","method":"POST","url":"/index.php/login?user=root","message":"Login failed: 'root' (Remote IP: '222.222.222.222')"}","decoder":{"name":"json"},"data":{"url":"/index.php/login?user=root","reqId":"M1xhbTkx2gH5iwxvD1lg","level":"2","time":"2023-10-02T17:54:57+02:00","remoteAddr":"222.222.222.222","user":"--","app":"core","method":"POST","message":"Login failed: 'root' (Remote IP: '222.222.222.222')"},"location":"/var/www/server/stockage/server.log"},"program":"active-response/bin/test.sh"}}
to parse I use the exemple bash script of the official doc here: https://documentation.wazuh.com/current/proof-of-concept-guide/detect-remove-malware-virustotal.html
here is the beginning to parse message and command:
you can try to echo the json piped in jq .you will get an error because the json is included in parent json for "previous-output"previous output contains the 2 last fired rule alert because mine is triggered only when the other is fired 3 timesThis would mean that we cannot parse any json file from an alert that would be triggered by a log line already in json format? I can't believe the developers forgot this detail, I must have missed something...
thanks regards
BD
Oct 6, 2023, 3:45:57 PM10/6/23
to Wazuh | Mailing List
Good morning,
Nobody uses an active response triggered by several occurrences of a native rule from a log file already in JSON format?
I would like to know if this is a case that was not thought of during development or if the problem is me?
Chatgpt is unable to give me a script to process the malformed JSON of the active response...
Thanks
Regards
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c9550475-46cb-4bf4-bcd3-b43a9ac48ad4n%40googlegroups.com.
elw...@wazuh.com
Oct 9, 2023, 7:35:59 AM10/9/23
to Wazuh | Mailing List
Hello Bryan,
Apologies for the late response. I have just made a simple test of reading the STDIN and logging the output from an alert that has the `previous-output` and the JSON is valid. Sharing details below:
1 - Defined a script in my Wazuh manager:
2 - Active response configuration:
3 - The output result:
Cat /var/ossec/testalert.log
{"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2023-10-09T11:25:42.293+0000","rule":{"level":7,"description":"Listened ports status (netstat) changed (new port opened or closed).","id":"533","firedtimes":1,"mail":true,"groups":["ossec"],"pci_dss":["10.2.7","10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1696850742.53599","cluster":{"name":"wazuh","node":"node01"},"previous_output":"Previous output:nossec: output: 'netstat listening ports':ntcp 0.0.0.0:22 0.0.0.0:* 761/sshdntcp6 :::22 :::* 761/sshdntcp 127.0.0.1:25 0.0.0.0:* 1061/masterntcp6 ::1:25 :::* 1061/masternudp 0.0.0.0:68 0.0.0.0:* 1938/dhclientntcp 0.0.0.0:111 0.0.0.0:* 391/rpcbindntcp6 :::111 :::* 391/rpcbindnudp 0.0.0.0:111 0.0.0.0:* 391/rpcbindnudp6 :::111 :::* 391/rpcbindnudp 127.0.0.1:323 0.0.0.0:* 397/chronydnudp6 ::1:323 :::* 397/chronydntcp 0.0.0.0:443 0.0.0.0:* 401/nodenudp 0.0.0.0:982 0.0.0.0:* 391/rpcbindnudp6 :::982 :::* 391/rpcbindntcp 0.0.0.0:1514 0.0.0.0:* 2639/wazuh-remotedntcp 0.0.0.0:1515 0.0.0.0:* 2217/wazuh-authdntcp 0.0.0.0:1516 0.0.0.0:* 2972/python3nudp 0.0.0.0:5353 0.0.0.0:* 383/avahi-daemonntcp6 127.0.0.1:9200 :::* 760/javantcp6 127.0.0.1:9300 :::* 760/javanudp 0.0.0.0:46566 0.0.0.0:* 383/avahi-daemonntcp 0.0.0.0:55000 0.0.0.0:* 2100/python3","full_log":"ossec: output: 'netstat listening ports':ntcp 0.0.0.0:22 0.0.0.0:* 761/sshdntcp6 :::22 :::* 761/sshdntcp 127.0.0.1:25 0.0.0.0:* 1061/masterntcp6 ::1:25 :::* 1061/masternudp 0.0.0.0:68 0.0.0.0:* 1938/dhclientntcp 0.0.0.0:111 0.0.0.0:* 391/rpcbindntcp6 :::111 :::* 391/rpcbindnudp 0.0.0.0:111 0.0.0.0:* 391/rpcbindnudp6 :::111 :::* 391/rpcbindnudp 127.0.0.1:323 0.0.0.0:* 397/chronydnudp6 ::1:323 :::* 397/chronydntcp 0.0.0.0:443 0.0.0.0:* 401/nodenudp 0.0.0.0:982 0.0.0.0:* 391/rpcbindnudp6 :::982 :::* 391/rpcbindntcp 0.0.0.0:1514 0.0.0.0:* 21369/wazuh-remotedntcp 0.0.0.0:1515 0.0.0.0:* 21273/wazuh-authdntcp 0.0.0.0:1516 0.0.0.0:* 21573/python3nudp 0.0.0.0:5353 0.0.0.0:* 383/avahi-daemonntcp6 127.0.0.1:9200 :::* 760/javantcp6 127.0.0.1:9300 :::* 760/javanudp 0.0.0.0:46566 0.0.0.0:* 383/avahi-daemonntcp 0.0.0.0:55000 0.0.0.0:* 21230/python3","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'netstat listening ports':ntcp 0.0.0.0:22 0.0.0.0:* 761/sshdntcp6 :::22 :::* 761/sshdntcp 127.0.0.1:25 0.0.0.0:* 1061/masterntcp6 ::1:25 :::* 1061/masternudp 0.0.0.0:68 0.0.0.0:* 1938/dhclientntcp 0.0.0.0:111 0.0.0.0:* 391/rpcbindntcp6 :::111 :::* 391/rpcbindnudp 0.0.0.0:111 0.0.0.0:* 391/rpcbindnudp6 :::111 :::* 391/rpcbindnudp 127.0.0.1:323 0.0.0.0:* 397/chronydnudp6 ::1:323 :::* 397/chronydntcp 0.0.0.0:443 0.0.0.0:* 401/nodenudp 0.0.0.0:982 0.0.0.0:* 391/rpcbindnudp6 :::982 :::* 391/rpcbindntcp 0.0.0.0:1514 0.0.0.0:* 2639/wazuh-remotedntcp 0.0.0.0:1515 0.0.0.0:* 2217/wazuh-authdntcp 0.0.0.0:1516 0.0.0.0:* 2972/python3nudp 0.0.0.0:5353 0.0.0.0:* 383/avahi-daemonntcp6 127.0.0.1:9200 :::* 760/javantcp6 127.0.0.1:9300 :::* 760/javanudp 0.0.0.0:46566 0.0.0.0:* 383/avahi-daemonntcp 0.0.0.0:55000 0.0.0.0:* 2100/python3","location":"netstat listening ports"},"program":"active-response/bin/bashARPOC"}}
.png?part=0.1&view=1)
Note that I am using the latest version of Wazuh in my test.
I hope it helps.
Regards,
Wali
BD
Oct 14, 2023, 4:28:30 PM10/14/23
to elw...@wazuh.com, Wazuh | Mailing List
Good evening Wali,
Thank you for your return. Is the log sent by the agent to the wazuh manager and which triggers the alert in JSON format in your test?
Mine is a log in JSON format, that's why my previous_output is a JSON
Le lun. 9 oct. 2023, 22:12, BD <bryan.d...@gmail.com> a écrit :
Good evening Wali,Thank you for your return. Is the log sent by the agent to the wazuh manager and which triggers the alert in JSON format in your test?Mine is a log in JSON format, that's why my previous_output is a JSON
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/PdB7DtHlctI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/28d0c9ae-7c9c-4f68-9ee5-7ed08a78f6d9n%40googlegroups.com.
elw...@wazuh.com
Oct 16, 2023, 8:24:48 AM10/16/23
to Wazuh | Mailing List
Hello Bryan,
Yes, it is in a JSON format as you can see after I run Cat /var/ossec/testalert.log it shows the alert in JSON (Also previous_output is json) and it is a valid one.
Regards,
Wali
Yes, it is in a JSON format as you can see after I run Cat /var/ossec/testalert.log it shows the alert in JSON (Also previous_output is json) and it is a valid one.
Regards,
Wali
BD
Oct 16, 2023, 3:39:59 PM10/16/23
to elw...@wazuh.com, Wazuh | Mailing List
Hello,
Your testalert.log is the active response from wazuh-manager, I was talking about the initial application log sent by the remote agent in JSON.
For exemple i have a web server with a webapp and a wazuh-agent reading the webapp.log in JSON:
webapp.log:
{"reqId":"M1xhbTkx2gH5iwxvD1lg","level":2,"time":"2023-10-02T17:54:57+02:00","remoteAddr":"222.222.222.222","user":"--","app":"core","method":"POST","url":"/index.php/login?user=root","message":"Login failed: 'root' (Remote IP: '222.222.222.222')"}
then this log line trigger an alert in wazuh-manager so during active response, i have a full json in the "previous_output" key with the { } and the " (the full above line from webapp.log)
regards
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/60fd5f85-bf48-4e2f-98f8-01e65ee00087n%40googlegroups.com.
elw...@wazuh.com
Oct 18, 2023, 8:25:07 AM10/18/23
to Wazuh | Mailing List
Hello Bryan,
Thanks for bringing that up and indeed when the source is JSON and there is previous output it breaks the format; For this can you please report it here https://github.com/wazuh/wazuh/issues and share all the details.
As a workaround, I suggest parsing the full event and then escaping the double quotes withn the `previous_output` and `full_log` to make it a valid JSON then use it:
.png?part=0.1&view=1)
I hope this helps.
Regards,
Wali
Reply all
Reply to author
Forward
0 new messages