[Wazuh] How to trigger a custom script before the Agent sends a message to the Manager ?

[EXP]

Hi !

When the agent finds an audit event, it sends a message to Manager. 
I want to interrupt this behavior , and run my custom script to analyse the audit event.

At first, I try to use the Active-Response to finish it.
The flow like this : 
  Agent : find audit event
  Agent : send audit event
  Manager : recv audit event
  Manager : analyse audit event
  Manager : trigger alert rule 
  Manager : trigger AR 
  Agent : trigger custom script via AR

But the AR can't send the audit params from Manager to Agent, like the 'pid'.
So I want to modify the flow like this:
  Agent : find audit event
  Agent : interrupt & trigger custom script
  Agent : send audit event
  Manager : recv audit event
  Manager : analyse audit event
  Manager : trigger alert rule 

How can I do this ? 
Thank you!

[daniel...@wazuh.com]

Hello EXP,

 

I see a possibility to complete the flow you describe in the first place, instead of using AR you could use integrator.

The integrator daemon will fit better in this case because it passes the alert to the script making you able to extract every field in the alert that has been decoded.

 

To start using integratord you have to:

 

• Enable it by doing:
  /var/ossec/bin/ossec-control enable integrator

• Add an integration section in the manager ossec.conf file, it should look like:
  
  

  <integration>
     <name>custom-script</name>
     <group>audit</group>
     <alert_format>json</alert_format>
  </integration>

 

I’ve used the group audit to filter the rules I’ll pass to my script, this way only the rules contained in the group “audit” will be passed to the script. You can define multiple groups by using comma to separate them.
You may check for further information about this section here.

• Add a script to /var/ossec/integrations/ with the same name you used in the <name> tag before (custom-script in this case). I’ve attached an example script that could help you to understand how to make scripts to work with integratord.

• Restart the Wazuh manager.

 

It’s important to know that this script can’t get more parameters because integratord doesn’t allow it yet. The first parameter will always be a file which contains the alert that triggered the integration section conditions (This is done by the integrator daemon natively).

 

The final flow of the solution proposed is:

• Agent : find audit event

• Agent : send audit event

• Manager : receive audit event

• Manager : analyze audit event

• Manager : trigger alert rule

• Manager : trigger integrator

• Manager: trigger custom script

Keep in mind that the script will be launched on the manager side. You will need the script to connect to the agent host. To achieve it consider extracting the agent IP as I did with the process PID.

Let me know if it solved the issue.

Regards.

[EXP]

Hi !

    Thank you for your idea , but I'm sorry for that.

    The custom script should run on the Agent , because I want to analyse the ps tree via the pid. 

    If it run on the Manager , I get the pid , but I can't do anything.

在 2019年4月26日星期五 UTC+8上午12:09:05，daniel...@wazuh.com写道：

[daniel...@wazuh.com]

Hello EXP,

 

The active response feature doesn’t allow dynamic fields as input yet so you can’t use it in this case and that’s why I recommended you to use integrator daemon.

 

The script I've given to you will run in the manager side but if you want to run a script in the agent side you only need to connect to it (you could use ssh) and launch your script there then.

 

I hope it helps you.

Regards.