Active response

[Youssef ElAhmar]

Hello,

I have a simple bash script that enables when any level 12 alert happens, it is working, however it is not showing in logs on the agent or the server.

How can I make it appear in the server logs on the dashboard when it is enabled?

Thanks for your help

#!/bin/bash

#Disabling all future incoming and outgoing connections

sudo ufw --force enable

sudo ufw --force default deny incoming

sudo ufw --force default deny outgoing

#Disabling active interface

interface=$(ip route get 8.8.8.8| awk '{print $5}'|awk /./)

sudo ip link set ${interface} down

[Jorge Eduardo Molas]

Hi Youssef, Thanks for using Wazuh.

I will work on your case. I will get back a soon as possible.

Regards!

[Jorge Eduardo Molas]

Hi! Sorry for the delay.

According to the AR flow, in order for your script to run, a rule set that you defined in Wazuh Manager (ossec.conf) must have been activated in the <active response> section (in <rule set). If I understand correctly, it reports that the script is executed. Is this according to your tests, or did you actually verify that the script was executed in response to the defined ruleset?

Please check if I perform the necessary steps to configure AR with a response out of the box.

1. In the administrator you must configure your command in the <command> section
2. Then check that all elements are set correctly in <active-response>, especially pay attention to <location> and <ruleset> settings
3. On the agent side, check that your script is in the path /var/ossec/active-response/bin with the necessary permissions (750).
4. Finally check if you find evidence of execution in /var/ossec/logs/active-response.log (Linux)

If you do not verify the execution, you can debug the rule that AR should fire, for this you can enable the logall option in ossec.conf to verify that the event is received and decoded in your handler. Just so you know, enabling the logall option can consume a lot of disk space.

Please let me know if you were able to solve it with these tips.
Greetings
​

[Youssef ElAhmar]

Hey Jorge, Thanks for the reply

All this was set up on the agent and manager side, and when I trigger a level 12 event, such as SSH bruteforcing, 2 active responses occur, the default firewall-drop and is shown on the dashboard and in the active response logs and my Network-Drop script, which also runs and there is proof that it runs because I check the OS afterwards, but it doesn't appear in the active response logs like firewall drop. I just want to make it appear to it appears on the dashboard.

Thanks,

[Jorge Eduardo Molas]

Hi Youssef! Sorry for my delay. 

I understand that you are experiencing issues with your custom script when facing a brute-force ssh attack. While the default firewall-drop AR script successfully executes and leaves evidence in both the agent and manager AR logs, your custom script does not seem to do the same despite having evidence that it was executed. I will try to replicate your situation to better assist you. I will return shortly

[Jorge Eduardo Molas]

Hi Youssef! 

I have been replicating your case successfully. From what I see your script just executes your desired action. And when you indicate that it works, understand that the configuration in Wazuh Manager is correct.
However, to obtain messages in the AR log (agent) and the alert, the developed script is not enough.
As the documentation indicates, there are a few steps to complete in your script.
In your case I understand that you want a stateless script, so you would need to quote the following:
1. Read STDIN
2. Parse the JSON object sent by AR
3. Write STDOUT to send a control message to execd.
The documentation provides a template for an AR in the Python language.
I hope this information is helpful.