Changes to Active Response to use stdin

100 views
Skip to first unread message

OSSIM Notify

unread,
Nov 24, 2021, 3:42:59 PM11/24/21
to Wazuh mailing list
Good Afternoon,

We recently upgraded from Wazuh 4.0.4 to 4.2.x and need to rewrite our custom AR scripts to support the changes made to active response.  It is my understanding from the documentation that the scripts should now parse stdin instead of command line arguments.  However, I have not been able to find any examples of the expected format of stdin that is passed to a custom script.

Can someone please provide an example of the expected format so that we may update our scripts accordingly?  Thanks in advance.

Pedro Nicolás Gomez

unread,
Nov 24, 2021, 4:27:45 PM11/24/21
to Wazuh mailing list

Hi ossim,

I hope you are doing fine!

Yes, the new AR now receives the full alert in JSON format via STDIN, so you need your script to read it this way.

This is an example of the message with the full alert that is passed to the firewall-drop AR.

{ "version":1, "origin":{ "name":"worker01", "module":"wazuh-execd" }, "command":"add", "parameters":{ "extra_args":[], "alert":{ "timestamp":"2021-02-01T20:58:44.830+0000", "rule":{ "level":15, "description":"Shellshock attack detected", "id":"31168", "mitre":{ "id":["T1068","T1190"], "tactic":["Privilege Escalation","Initial Access"], "technique":["Exploitation for Privilege Escalation","Exploit Public-Facing Application"] }, "info":"CVE-2014-6271https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271", "firedtimes":2, "mail":true, "groups":["web","accesslog","attack"], "pci_dss":["11.4"], "gdpr":["IV_35.7.d"], "nist_800_53":["SI.4"], "tsc":["CC6.1","CC6.8","CC7.2","CC7.3"] }, "agent":{ "id":"000", "name":"ubuntu-bionic" }, "manager":{ "name":"ubuntu-bionic" }, "id":"1612213124.6448363", "full_log":"192.168.0.223 - - [01/Feb/2021:20:58:43 +0000] \"GET / HTTP/1.1\" 200 612 \"-\" \"() { :; }; /bin/cat /etc/passwd\"", "decoder":{ "name":"web-accesslog" }, "data":{ "protocol":"GET", "srcip":"192.168.0.223", "id":"200", "url":"/" }, "location":"/var/log/nginx/access.log" }, "program":"/var/ossec/active-response/bin/firewall-drop" } }

In this section of the documentation you can find an example of each message exchanged between the AR and execd, also an example of a custom active response created in python

https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response.html

I hope it helps.
Best regards, Pedro Nicolas.

OSSIM Notify

unread,
Nov 24, 2021, 5:15:13 PM11/24/21
to Pedro Nicolás Gomez, Wazuh mailing list
Thank you, Pedro!  This is exactly what I needed.  I could not find this reference in the documentation so the link is super helpful.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8b9c8c7f-8fcb-4aae-8705-0848ac0b691cn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages