Unable to parse json from active response script

138 views
Skip to first unread message

BD

unread,
Oct 1, 2023, 7:58:43 AM10/1/23
to Wazuh | Mailing List
Hello,

When an active response is fired , the command is sent to the target wazuh agent with the json alert in stdin. when I parse it with jq in bash, it can't interpret it because the json contains a complete json as object for "previous_output":

"previous_output":"{"reqId":"vzG1uznSRYwQ9R","....",".....

it read the { as value, so this output :
parse error: Invalid numeric literal at line 1, column 530

How do you deal with this please?

Thanks
Regards


elw...@wazuh.com

unread,
Oct 2, 2023, 7:24:24 AM10/2/23
to Wazuh | Mailing List
Hello Bryan,

Can you please share the full JSON alert and the AR script you use for parsing? To be able to test it on my end.

Regards,
Wali

BD

unread,
Oct 2, 2023, 12:16:47 PM10/2/23
to Wazuh | Mailing List
Hello Wali,

of course, here is the json send with the active response i cant parse:

{"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2023-10-02T15:54:58.461+0000","rule":{"level":5,"description":"sshd: authentication failed","id":"119999","frequency":3,"firedtimes":1,"mail":false,"groups":["local","syslog","sshd","authentication_failed"],"pci_dss":["10.2.4","10.2.5"]},"agent":{"id":"005","name":"server","ip":"111.111.111.111"},"manager":{"name":"suricate"},"id":"1696262098.4657309","previous_output":"{"reqId":"Y7pWv2x5b1vQzqWow1Qu","level":2,"time":"2023-10-02T17:54:54+02:00","remoteAddr":"222.222.222.222","user":"--","app":"core","method":"POST","url":"/index.php/login?user=root","message":"Login failed: 'root' (Remote IP: '222.222.222.222')"}n{"reqId":"j2zF5LRCxQgALLkT6w58","level":2,"time":"2023-10-02T17:54:51+02:00","remoteAddr":"222.222.222.222","user":"--","app":"core","method":"POST","url":"/index.php/login?user=root","message":"Login failed: 'root' (Remote IP: '222.222.222.222')"}","full_log":"{"reqId":"M1xhbTkx2gH5iwxvD1lg","level":2,"time":"2023-10-02T17:54:57+02:00","remoteAddr":"222.222.222.222","user":"--","app":"core","method":"POST","url":"/index.php/login?user=root","message":"Login failed: 'root' (Remote IP: '222.222.222.222')"}","decoder":{"name":"json"},"data":{"url":"/index.php/login?user=root","reqId":"M1xhbTkx2gH5iwxvD1lg","level":"2","time":"2023-10-02T17:54:57+02:00","remoteAddr":"222.222.222.222","user":"--","app":"core","method":"POST","message":"Login failed: 'root' (Remote IP: '222.222.222.222')"},"location":"/var/www/server/stockage/server.log"},"program":"active-response/bin/test.sh"}}


here is the beginning to parse message and command:
2023-10-02 18_09_25-Window.png
you can try to echo the json piped in jq .you will get an error because the json is included in parent json for "previous-output"previous output contains the 2 last fired rule alert because mine is triggered only when the other is fired 3 timesThis would mean that we cannot parse any json file from an alert that would be triggered by a log line already in json format? I can't believe the developers forgot this detail, I must have missed something...
thanks regards

BD

unread,
Oct 6, 2023, 3:45:57 PM10/6/23
to Wazuh | Mailing List
Good morning,

Nobody uses an active response triggered by several occurrences of a native rule from a log file already in JSON format?

I would like to know if this is a case that was not thought of during development or if the problem is me?

Chatgpt is unable to give me a script to process the malformed JSON of the active response...

Thanks
Regards 

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c9550475-46cb-4bf4-bcd3-b43a9ac48ad4n%40googlegroups.com.

elw...@wazuh.com

unread,
Oct 9, 2023, 7:35:59 AM10/9/23
to Wazuh | Mailing List

Hello Bryan,

Apologies for the late response. I have just made a simple test of reading the STDIN and logging the output from an alert that has the `previous-output` and the JSON is valid. Sharing details below:

1 - Defined a script in my Wazuh manager:

#!/bin/sh read alert; echo $alert >> testalert.log;

2 - Active response configuration:
<command> <name>simpleARPOC</name> <executable>simpleARPOC</executable> </command> <active-response> <command>simpleARPOC</command> <location>server</location> <rules_id>533</rules_id> </active-response>


3 - The output result:

Cat /var/ossec/testalert.log

{"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2023-10-09T11:25:42.293+0000","rule":{"level":7,"description":"Listened ports status (netstat) changed (new port opened or closed).","id":"533","firedtimes":1,"mail":true,"groups":["ossec"],"pci_dss":["10.2.7","10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1696850742.53599","cluster":{"name":"wazuh","node":"node01"},"previous_output":"Previous output:nossec: output: 'netstat listening ports':ntcp 0.0.0.0:22 0.0.0.0:* 761/sshdntcp6 :::22 :::* 761/sshdntcp 127.0.0.1:25 0.0.0.0:* 1061/masterntcp6 ::1:25 :::* 1061/masternudp 0.0.0.0:68 0.0.0.0:* 1938/dhclientntcp 0.0.0.0:111 0.0.0.0:* 391/rpcbindntcp6 :::111 :::* 391/rpcbindnudp 0.0.0.0:111 0.0.0.0:* 391/rpcbindnudp6 :::111 :::* 391/rpcbindnudp 127.0.0.1:323 0.0.0.0:* 397/chronydnudp6 ::1:323 :::* 397/chronydntcp 0.0.0.0:443 0.0.0.0:* 401/nodenudp 0.0.0.0:982 0.0.0.0:* 391/rpcbindnudp6 :::982 :::* 391/rpcbindntcp 0.0.0.0:1514 0.0.0.0:* 2639/wazuh-remotedntcp 0.0.0.0:1515 0.0.0.0:* 2217/wazuh-authdntcp 0.0.0.0:1516 0.0.0.0:* 2972/python3nudp 0.0.0.0:5353 0.0.0.0:* 383/avahi-daemonntcp6 127.0.0.1:9200 :::* 760/javantcp6 127.0.0.1:9300 :::* 760/javanudp 0.0.0.0:46566 0.0.0.0:* 383/avahi-daemonntcp 0.0.0.0:55000 0.0.0.0:* 2100/python3","full_log":"ossec: output: 'netstat listening ports':ntcp 0.0.0.0:22 0.0.0.0:* 761/sshdntcp6 :::22 :::* 761/sshdntcp 127.0.0.1:25 0.0.0.0:* 1061/masterntcp6 ::1:25 :::* 1061/masternudp 0.0.0.0:68 0.0.0.0:* 1938/dhclientntcp 0.0.0.0:111 0.0.0.0:* 391/rpcbindntcp6 :::111 :::* 391/rpcbindnudp 0.0.0.0:111 0.0.0.0:* 391/rpcbindnudp6 :::111 :::* 391/rpcbindnudp 127.0.0.1:323 0.0.0.0:* 397/chronydnudp6 ::1:323 :::* 397/chronydntcp 0.0.0.0:443 0.0.0.0:* 401/nodenudp 0.0.0.0:982 0.0.0.0:* 391/rpcbindnudp6 :::982 :::* 391/rpcbindntcp 0.0.0.0:1514 0.0.0.0:* 21369/wazuh-remotedntcp 0.0.0.0:1515 0.0.0.0:* 21273/wazuh-authdntcp 0.0.0.0:1516 0.0.0.0:* 21573/python3nudp 0.0.0.0:5353 0.0.0.0:* 383/avahi-daemonntcp6 127.0.0.1:9200 :::* 760/javantcp6 127.0.0.1:9300 :::* 760/javanudp 0.0.0.0:46566 0.0.0.0:* 383/avahi-daemonntcp 0.0.0.0:55000 0.0.0.0:* 21230/python3","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'netstat listening ports':ntcp 0.0.0.0:22 0.0.0.0:* 761/sshdntcp6 :::22 :::* 761/sshdntcp 127.0.0.1:25 0.0.0.0:* 1061/masterntcp6 ::1:25 :::* 1061/masternudp 0.0.0.0:68 0.0.0.0:* 1938/dhclientntcp 0.0.0.0:111 0.0.0.0:* 391/rpcbindntcp6 :::111 :::* 391/rpcbindnudp 0.0.0.0:111 0.0.0.0:* 391/rpcbindnudp6 :::111 :::* 391/rpcbindnudp 127.0.0.1:323 0.0.0.0:* 397/chronydnudp6 ::1:323 :::* 397/chronydntcp 0.0.0.0:443 0.0.0.0:* 401/nodenudp 0.0.0.0:982 0.0.0.0:* 391/rpcbindnudp6 :::982 :::* 391/rpcbindntcp 0.0.0.0:1514 0.0.0.0:* 2639/wazuh-remotedntcp 0.0.0.0:1515 0.0.0.0:* 2217/wazuh-authdntcp 0.0.0.0:1516 0.0.0.0:* 2972/python3nudp 0.0.0.0:5353 0.0.0.0:* 383/avahi-daemonntcp6 127.0.0.1:9200 :::* 760/javantcp6 127.0.0.1:9300 :::* 760/javanudp 0.0.0.0:46566 0.0.0.0:* 383/avahi-daemonntcp 0.0.0.0:55000 0.0.0.0:* 2100/python3","location":"netstat listening ports"},"program":"active-response/bin/bashARPOC"}}


image (166).png

Note that I am using the latest version of Wazuh in my test.

I hope it helps.

Regards,
Wali

BD

unread,
Oct 14, 2023, 4:28:30 PM10/14/23
to elw...@wazuh.com, Wazuh | Mailing List
Good evening Wali,
Thank you for your return. Is the log sent by the agent to the wazuh manager and which triggers the alert in JSON format in your test?
Mine is a log in JSON format, that's why my previous_output is a JSON

Le lun. 9 oct. 2023, 22:12, BD <bryan.d...@gmail.com> a écrit :
Good evening Wali,
Thank you for your return. Is the log sent by the agent to the wazuh manager and which triggers the alert in JSON format in your test?
Mine is a log in JSON format, that's why my previous_output is a JSON

You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/PdB7DtHlctI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/28d0c9ae-7c9c-4f68-9ee5-7ed08a78f6d9n%40googlegroups.com.

elw...@wazuh.com

unread,
Oct 16, 2023, 8:24:48 AM10/16/23
to Wazuh | Mailing List
Hello Bryan,

Yes, it is in a JSON format as you can see after I run Cat /var/ossec/testalert.log   it shows the alert in JSON (Also previous_output is json) and it is a valid one.

Regards,
Wali

BD

unread,
Oct 16, 2023, 3:39:59 PM10/16/23
to elw...@wazuh.com, Wazuh | Mailing List
Hello,

Your testalert.log is the active response from wazuh-manager, I was talking about the initial application log sent by the remote agent in JSON.
For exemple i have a web server with a webapp and a wazuh-agent reading the webapp.log in JSON:

webapp.log:

{"reqId":"M1xhbTkx2gH5iwxvD1lg","level":2,"time":"2023-10-02T17:54:57+02:00","remoteAddr":"222.222.222.222","user":"--","app":"core","method":"POST","url":"/index.php/login?user=root","message":"Login failed: 'root' (Remote IP: '222.222.222.222')"}

then this log line trigger an alert in wazuh-manager so during active response, i have a full json in the "previous_output" key with the { } and the " (the full above line from webapp.log)

regards 



elw...@wazuh.com

unread,
Oct 18, 2023, 8:25:07 AM10/18/23
to Wazuh | Mailing List

Hello Bryan,

Thanks for bringing that up and indeed when the source is JSON and there is previous output it breaks the format; For this can you please report it here https://github.com/wazuh/wazuh/issues and share all the details.

As a workaround, I suggest parsing the full event and then escaping the double quotes withn the `previous_output` and `full_log` to make it a valid JSON then use it:

image (167).png

I hope this helps.

Regards,
Wali
Reply all
Reply to author
Forward
0 new messages