Custom active response stuck, only run when I restarted agent
129 views
Skip to first unread message
Bayu Sangkaya (bayusky.labs)
Mar 14, 2024, 8:25:45 AM3/14/24
to Wazuh | Mailing List
Dear Wazuh tem,
I am experienced wazuh-agent stuck when execute my custom active response, this active response called quarantine.sh, it quarantine certaine file on matching condition, but it's seem stuck, and only run when I restarted wazuh-agent service.
Here is the logs :
On Wazuh manager:
I execute :
# /var/ossec/bin/agent_control -b 103.155.47.12 -f quarantine0 -u 001
and got the logs that it worked :
2024/03/13 13:14:01 wazuh-remoted[1677503] ar-forward.c:41 at AR_Forward(): DEBUG: Active response request received: (msg_to_agent) [] NNS 001 {"version":1,"origin":{"name":"","module":""},"command":"quarantine0","parameters":{"extra_args":[],"alert":{"data":{"srcip":"103.155.47.12"}}}}
2024/03/13 13:14:01 wazuh-remoted[1677503] ar-forward.c:100 at AR_Forward(): DEBUG: Active response sent: #!-execd {"version":1,"origin":{"name":"","module":""},"command":"quarantine0","parameters":{"extra_args":[],"alert":{"data":{"srcip":"103.155.47.12"}}}}
2024/03/13 13:14:01 wazuh-remoted[1677503] ar-forward.c:100 at AR_Forward(): DEBUG: Active response sent: #!-execd {"version":1,"origin":{"name":"","module":""},"command":"quarantine0","parameters":{"extra_args":[],"alert":{"data":{"srcip":"103.155.47.12"}}}}
And I got this logs on wazuh-agent:
tail -f /var/ossec/logs/ossec.log | grep execd
2024/03/13 13:14:01 wazuh-execd[799467] execd.c:494 at ExecdStart(): DEBUG: Received message: '{"version":1,"origin":{"name":"","module":""},"command":"quarantine0","parameters":{"extra_args":[],"alert":{"data":{"srcip":"103.155.47.12"}}}}'
2024/03/13 13:14:01 wazuh-execd[799467] exec.c:105 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.sh'. Not using it on this system.
2024/03/13 13:14:01 wazuh-execd[799467] exec.c:105 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.cmd'. Not using it on this system.
2024/03/13 13:14:01 wazuh-execd[799467] exec.c:105 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.sh'. Not using it on this system.
2024/03/13 13:14:01 wazuh-execd[799467] exec.c:105 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.cmd'. Not using it on this system.
2024/03/13 13:14:01 wazuh-execd[799467] exec.c:105 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-wazuh.exe'. Not using it on this system.
2024/03/13 13:14:01 wazuh-execd[799467] execd.c:256 at ExecdRun(): DEBUG: Executing command 'active-response/bin/quarantine.sh {"version":1,"origin":{"name":"","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"data":{"srcip":"103.155.47.12"}},"program":"active-response/bin/quarantine.sh"}}'
2024/03/13 13:14:01 wazuh-execd[799467] execd.c:494 at ExecdStart(): DEBUG: Received message: '{"version":1,"origin":{"name":"","module":""},"command":"quarantine0","parameters":{"extra_args":[],"alert":{"data":{"srcip":"103.155.47.12"}}}}'
2024/03/13 13:14:01 wazuh-execd[799467] exec.c:105 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.sh'. Not using it on this system.
2024/03/13 13:14:01 wazuh-execd[799467] exec.c:105 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.cmd'. Not using it on this system.
2024/03/13 13:14:01 wazuh-execd[799467] exec.c:105 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.sh'. Not using it on this system.
2024/03/13 13:14:01 wazuh-execd[799467] exec.c:105 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.cmd'. Not using it on this system.
2024/03/13 13:14:01 wazuh-execd[799467] exec.c:105 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-wazuh.exe'. Not using it on this system.
2024/03/13 13:14:01 wazuh-execd[799467] execd.c:256 at ExecdRun(): DEBUG: Executing command 'active-response/bin/quarantine.sh {"version":1,"origin":{"name":"","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"data":{"srcip":"103.155.47.12"}},"program":"active-response/bin/quarantine.sh"}}'
--- Stuck on this line, when I execute the command on the server again, no changes on the log ---
And finally worked but only when I restart wazuh-agent service
# tail -f /var/ossec/logs/active-responses.log | grep quarantine
2024/03/13 13:13:41 active-response/bin/quarantine.sh: null moved to /tmp/quarantined. Successfully quarantine threat
# tail -f /var/ossec/logs/active-responses.log | grep quarantine
2024/03/13 13:13:41 active-response/bin/quarantine.sh: null moved to /tmp/quarantined. Successfully quarantine threat
And I'm stuck here. Success only when I restart the agent, it's the same when I used eicar test file.
Gonzalo Acuña
Mar 14, 2024, 8:54:28 AM3/14/24
to Wazuh | Mailing List
Hi, Bayu.
1. Can you share all the configurations you made to make it work?
- Rules
- Decoders
- ossec.conf changes
2. Is the alert related to the AR being triggered?
3. What version of Wazuh are you using?
Regards.
Gonzalo.
1. Can you share all the configurations you made to make it work?
- Rules
- Decoders
- ossec.conf changes
2. Is the alert related to the AR being triggered?
3. What version of Wazuh are you using?
Regards.
Gonzalo.
Reply all
Reply to author
Forward
0 new messages