XDR Custom Script not working

[Shine Cardozo]

Hi Team

I wanted to execute a custom active-response script, following is my configuration that works.
1] File: ossec.conf
  <command>
    <name>abc</name>
    <executable>a.py</executable>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>abc</command>
    <location>local</location>
    <rules_id>100200</rules_id>
  </active-response>

100200 is a local rule but when triggered can execute the default commands (firewalld-drop, ipfw, pf, wazuh-slack, firewall-drop, kaspersky, restart.sh, default-firewall-drop, host-deny, kaspersky.py, restart-wazuh, disable-account, ip-customblock, npf, route-null)

100200 cannot execute any command with a custom script that I place in active-response/bin directory.

For example the following works for me:

  <active-response>
    <disabled>no</disabled>
    <command>firewall-drop</command>
    <location>local</location>
    <rules_id>100200</rules_id>
  </active-response>

[Shine Cardozo]

Correction: I wanted to execute a custom active-response script, following is my configuration that does not work.

[elw...@wazuh.com]

Hello,

In the executable, If it is running on Linux you need to remove the `.py` extention as mentioned here https://documentation.wazuh.com/current/user-manual/capabilities/active-response/remediation-faq.html#will-active-response-continue-working-after-upgrading-to-wazuh-v4-2-0. However, I am sharing an example of how to test a simple AR :

1.  Add the following script to the path /var/ossec/active-response/bin  and assign similar ownership/permissions as other binaries:
   
   #!/bin/sh
   read alert;
   echo $alert >> testalert.log;
   
   
2. Active response configuration to ossec.conf of the manager:
   
   <command>
     <name>simpleARPOC</name>
      <executable>simpleARPOC</executable>
   </command>
   
   <active-response>
      <command>simpleARPOC</command>
      <location>server</location>
      <rules_id>502</rules_id>
   </active-response>
   
   
3.  Restart the Wazuh manager and you will have the alerts logged into the testalert.log file:
   
   cat /var/ossec/testalert.log {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2022-06-14T12:33:54.241+0000","rule":{"level":3,"description":"Ossec server started.","id":"502","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh.manager"},"manager":{"name":"wazuh.manager"},"id":"1655210034.1929","full_log":"ossec: Ossec started.","decoder":{"name":"ossec"},"location":"wazuh-monitord"},"program":"active-response/bin/simpleARPOC"}}

Hope this helps.

Regards,
Wali

[Shine Cardozo]

Dear Elwali

Was finally able to get it running by creating a binary file out of a shell script.

Sincerely

---

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8b8058d1-8f46-406c-9364-e5c532a511f0n%40googlegroups.com.