Small issue with commands
36 views
Skip to first unread message
clsamc...@gmail.com
Jan 16, 2023, 12:47:40 PM1/16/23
to Wazuh mailing list
Greetings,
I have a bash script that I've added to /var/ossec/active-response/bin.
I have created a log file to which a local script records the output of "ufw status". If the match is "Status: inactive", then the command script will execute the command "/usr/sbin/ufw enable".
I have a bash script that I've added to /var/ossec/active-response/bin.
I have created a log file to which a local script records the output of "ufw status". If the match is "Status: inactive", then the command script will execute the command "/usr/sbin/ufw enable".
My ossec.conf file looks like this:
<active-response>
<command>ufw-restart</command>
<executable>ufw-restart</executable>
<location>local</location>
<rules_id>200001</rules_id>
</active-response>
However, restarting fails with the error:
2023/01/16 12:21:25 wazuh-analysisd: ERROR: (1230): Invalid element in the configuration: 'executable'.
If I remove the tag executable, instead I get:
2023/01/16 11:57:49 wazuh-analysisd: ERROR: (1303): Invalid command 'ufw-restart' in the active response.
<command>ufw-restart</command>
<executable>ufw-restart</executable>
<location>local</location>
<rules_id>200001</rules_id>
</active-response>
However, restarting fails with the error:
2023/01/16 12:21:25 wazuh-analysisd: ERROR: (1230): Invalid element in the configuration: 'executable'.
If I remove the tag executable, instead I get:
2023/01/16 11:57:49 wazuh-analysisd: ERROR: (1303): Invalid command 'ufw-restart' in the active response.
I am running Wazuh 4.3.9. I'm not sure what I am missing.
Thanks,
Thanks,
Sean.
Nicolas Osvaldo Fernandez
Jan 16, 2023, 2:56:00 PM1/16/23
to Wazuh mailing list
Hello good morning!
I'll check the documentation and get back to you to help you.
Thanks
Nicolás Fernández
Nicolas Osvaldo Fernandez
Jan 16, 2023, 4:24:41 PM1/16/23
to Wazuh mailing list
Hello, sorry for the delay.
I was going through the documentation and you should do the following:
1. Create the command, inside the ossec.conf file, for example:
<command>
<name>ufw-restart</name>
<executable>ufw-restart</executable>
</command>
2. Use the command previously created in the active-response section, for example:
<active-response>
<command>ufw-restart</command>
<location>local</location>
<rules_id>200001</rules_id>
</active-response>
References: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/how-it-works.html
Let me know if this way worked for you, any questions let me know!
Regards!
Nicolas
I was going through the documentation and you should do the following:
1. Create the command, inside the ossec.conf file, for example:
<command>
<name>ufw-restart</name>
<executable>ufw-restart</executable>
</command>
2. Use the command previously created in the active-response section, for example:
<active-response>
<command>ufw-restart</command>
<location>local</location>
<rules_id>200001</rules_id>
</active-response>
Let me know if this way worked for you, any questions let me know!
Regards!
Nicolas
clsamc...@gmail.com
Feb 2, 2023, 2:01:59 PM2/2/23
to Wazuh mailing list
Hi Nicolas
I got this to work by using the following:
ossec.conf:
<active-response>
<command>ufw-restart</command>
<location>local</location>
<rules_id>200007</rules_id>
</active-response>
<localfile>
<log_format>command</log_format>
<command>ufw status</command>
<frequency>360</frequency>
</localfile>
local_rules.xml:
<rule id="200007" level="12">
<if_sid>530</if_sid>
<match>ossec: output: 'ufw status'</match>
<regex>inactive</regex>
<description>Monitor UFW</description>
<group>process_monitor,</group>
</rule>
/var/ossec/active-response/bin/ufw-restart:
#!/bin/bash
/usr/sbin/ufw enable
Thanks.
I got this to work by using the following:
ossec.conf:
<active-response>
<command>ufw-restart</command>
<location>local</location>
</active-response>
<localfile>
<log_format>command</log_format>
<command>ufw status</command>
<frequency>360</frequency>
</localfile>
local_rules.xml:
<rule id="200007" level="12">
<if_sid>530</if_sid>
<match>ossec: output: 'ufw status'</match>
<regex>inactive</regex>
<description>Monitor UFW</description>
<group>process_monitor,</group>
</rule>
/var/ossec/active-response/bin/ufw-restart:
#!/bin/bash
/usr/sbin/ufw enable
Thanks.
Nicolas Osvaldo Fernandez
Feb 5, 2023, 6:14:42 PM2/5/23
to Wazuh mailing list
Perfect!
Greetings!
Nicolás
Reply all
Reply to author
Forward
0 new messages