Create a custom AR script
723 views
Skip to first unread message
Rémi Paeta
Sep 23, 2021, 6:33:58 AM9/23/21
to Wazuh mailing list
Hello,
I'm using Wazuh 4.2.0
I am trying to use a custom python script to send json alert to an API.
My script should run when there is an alert on rules 5710 and 5712.
The script ran correctly the first time, but no longer runs for subsequent alerts.
I have enabled debug mode on the wazuh-manager service and I have this error displayed:
wazuh-execd [7027] execd.c: 499 at ExecdStart (): DEBUG: Active response won't be added to timeout list. Message not received with alert keys from script 'active-response / bin / postalert.py'
Can you help me please ?
Alexis Rivas
Sep 23, 2021, 12:05:10 PM9/23/21
to Wazuh mailing list
Hi! hope you're doing well.
Please provide me with the following information to better understand this situation:
* postalert.py
* Alert 5710 and 5712 config block.
* active-response config block.
* command definition.
* A log sample you use to trigger this alert.
Best regards
Alexis
Please provide me with the following information to better understand this situation:
* postalert.py
* Alert 5710 and 5712 config block.
* active-response config block.
* command definition.
* A log sample you use to trigger this alert.
Best regards
Alexis
Rémi Paeta
Sep 24, 2021, 4:26:10 AM9/24/21
to Wazuh mailing list
Hello Alexis,
I have not personalized the rules 5710 and 5712 regarding SSH.
I have attached the post-alert.py to this post.
Here is the declaration block for the active response:
<active-response>
<disabled>no</disabled>
<command>postalert</command>
<location>server</location>
<rules_id>5710,5712</rules_id>
<timeout>0</timeout>
</active-response>
Here is the statement block for the command:
<command>
<name>postalert</name>
<executable>postalert.py</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
Here is a log sample:
2021/09/23 12:25:16 wazuh-execd[7027] execd.c:416 at ExecdStart(): DEBUG: Received message: '{"version":1,"origin":{"name":"Test-Wazuh-Master","module":"wazuh-analysisd"},"command":"postalert0","parameters":{"extra_args":[],"alert":{"timestamp":"2021-09-23T12:25:16.134+0200","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent user","id":"5710","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":36,"mail":false,"groups":["syslog","sshd","invalid_login","authentication_failed"],"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"Test-Dev","ip":"XXX.XXX.XXX.XXX"},"manager":{"name":"Test-Wazuh-Master"},"id":"1632392716.1200413","cluster":{"name":"test-wazuh","node":"Test-Wazuh-Master"},"full_log":"Sep 23 12:25:16 Test-Dev sshd[17544]: Failed password for invalid user toto from XXX.XXX.XXX.XXX port 54470 ssh2","predecoder":{"program_name":"sshd","timestamp":"Sep 23 12:25:16","hostname":"Test-Dev"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"XXX.XXX.XXX.XXX","srcuser":"toto"},"location":"/var/log/auth.log"}}}'
2021/09/23 12:25:16 wazuh-execd[7027] execd.c:484 at ExecdStart(): DEBUG: Executing command 'active-response/bin/postalert.py {"version":1,"origin":{"name":"Test-Wazuh-Master","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2021-09-23T12:25:16.134+0200","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent user","id":"5710","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":36,"mail":false,"groups":["syslog","sshd","invalid_login","authentication_failed"],"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"Test-Dev","ip":"XXX.XXX.XXX.XXX"},"manager":{"name":"Test-Wazuh-Master"},"id":"1632392716.1200413","cluster":{"name":"test-wazuh","node":"Test-Wazuh-Master"},"full_log":"Sep 23 12:25:16 Test-Dev sshd[17544]: Failed password for invalid user toto from XXX.XXX.XXX.XXX port 54470 ssh2","predecoder":{"program_name":"sshd","timestamp":"Sep 23 12:25:16","hostname":"Test-Dev"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"XXX.XXX.XXX.XXX","srcuser":"toto"},"location":"/var/log/auth.log"},"program":"active-response/bin/postalert.py"}}'
2021/09/23 12:25:16 wazuh-execd[7027] execd.c:499 at ExecdStart(): DEBUG: Active response won't be added to timeout list. Message not received with alert keys from script 'active-response/bin/postalert.py'
Thank you for your help :-)
Alexis Rivas
Sep 24, 2021, 9:45:35 AM9/24/21
to Wazuh mailing list
Hi,
Thanks for giving me this information.
I'll do few tests and give you a reply as soon as I can.
Regards,
Alexis
Alexis Rivas
Sep 24, 2021, 4:58:14 PM9/24/21
to Wazuh mailing list
Hi !
After working around your script and configuration I found out a solution.
ossec.conf: few changes to set it as stateless:
<command>
<name>postalert</name>
<executable>postalert.py</executable>
<timeout_allowed>no</timeout_allowed>
I tried to write DATA to a file and check if everything's fine (emulating what you do with your api) and this file keeps updating every time alert 5710 or 5712 is triggered.
Finally, you'll still be noticing this log entry: wazuh-execd[9005] execd.c:498 at ExecdStart(): DEBUG: Active response won't be added to timeout list. Message not received with alert keys from script 'active-response/bin/postalert.py' since it's an informative message.
Hope it helps!
Let me know if you need something else.
Regards
Alexis
After working around your script and configuration I found out a solution.
ossec.conf: few changes to set it as stateless:
<active-response>
<disabled>no</disabled>
<command>postalert</command>
<location>server</location>
<rules_id>5710,5712</rules_id>
</active-response><disabled>no</disabled>
<command>postalert</command>
<location>server</location>
<rules_id>5710,5712</rules_id>
<command>
<name>postalert</name>
<executable>postalert.py</executable>
</command>
Script:
As the AR documentation says here: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response.html, they're a few steps to be completed at your script if you want to customize active response:
1. Read through STDIN.
2. Parse the read JSON object.
3. Extract the necessary information for its execution.
4. Write STDOUT to send control message to execd.
5. Wait for the response via STDIN.
6. Check the command field.
But if it's stateless, It's enough with 1, 2 and 3.
It's very important to keep in mind that you should read the JSON from stdin carefully since it has newline character at the end.
def run_command():
json_dump = json.dumps(sys.stdin.readline().rstrip())
json_b64 = base64.b64encode(json_dump.encode('utf-8'))
URL = 'http://XXX.XXX.XXX.XXX'
DATA = {'param':json_b64}
....
As the AR documentation says here: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response.html, they're a few steps to be completed at your script if you want to customize active response:
1. Read through STDIN.
2. Parse the read JSON object.
3. Extract the necessary information for its execution.
4. Write STDOUT to send control message to execd.
5. Wait for the response via STDIN.
6. Check the command field.
But if it's stateless, It's enough with 1, 2 and 3.
It's very important to keep in mind that you should read the JSON from stdin carefully since it has newline character at the end.
def run_command():
json_dump = json.dumps(sys.stdin.readline().rstrip())
json_b64 = base64.b64encode(json_dump.encode('utf-8'))
URL = 'http://XXX.XXX.XXX.XXX'
DATA = {'param':json_b64}
....
....
Finally, you'll still be noticing this log entry: wazuh-execd[9005] execd.c:498 at ExecdStart(): DEBUG: Active response won't be added to timeout list. Message not received with alert keys from script 'active-response/bin/postalert.py' since it's an informative message.
Hope it helps!
Let me know if you need something else.
Regards
Alexis
Rémi Paeta
Sep 27, 2021, 3:44:22 AM9/27/21
to Wazuh mailing list
Thank you for your help !!! :-)
It works much better !
Regards,
Rémi
Reply all
Reply to author
Forward
0 new messages