Create a custom AR script

123 views
Skip to first unread message

Rémi Paeta

unread,
Sep 23, 2021, 6:33:58 AMSep 23
to Wazuh mailing list
Hello,

I'm using Wazuh 4.2.0
I am trying to use a custom python script to send json alert to an API.
My script should run when there is an alert on rules 5710 and 5712.
The script ran correctly the first time, but no longer runs for subsequent alerts.
I have enabled debug mode on the wazuh-manager service and I have this error displayed:
wazuh-execd [7027] execd.c: 499 at ExecdStart (): DEBUG: Active response won't be added to timeout list. Message not received with alert keys from script 'active-response / bin / postalert.py'

Can you help me please ?


Alexis Rivas

unread,
Sep 23, 2021, 12:05:10 PMSep 23
to Wazuh mailing list
Hi! hope you're doing well.

Please provide me with the following information to better understand this situation:

* postalert.py
* Alert 5710 and 5712 config block.
* active-response config block.
* command definition.
* A log sample you use to trigger this alert.

Best regards
Alexis

Rémi Paeta

unread,
Sep 24, 2021, 4:26:10 AMSep 24
to Wazuh mailing list
Hello Alexis,

I have not personalized the rules 5710 and 5712 regarding SSH.
I have attached the post-alert.py to this post.
Here is the declaration block for the active response:
<active-response>
    <disabled>no</disabled>
    <command>postalert</command>
    <location>server</location>
    <rules_id>5710,5712</rules_id>
    <timeout>0</timeout>
</active-response>
Here is the statement block for the command:
<command>
    <name>postalert</name>
    <executable>postalert.py</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>
Here is a log sample:
2021/09/23 12:25:16 wazuh-execd[7027] execd.c:416 at ExecdStart(): DEBUG: Received message: '{"version":1,"origin":{"name":"Test-Wazuh-Master","module":"wazuh-analysisd"},"command":"postalert0","parameters":{"extra_args":[],"alert":{"timestamp":"2021-09-23T12:25:16.134+0200","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent user","id":"5710","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":36,"mail":false,"groups":["syslog","sshd","invalid_login","authentication_failed"],"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"Test-Dev","ip":"XXX.XXX.XXX.XXX"},"manager":{"name":"Test-Wazuh-Master"},"id":"1632392716.1200413","cluster":{"name":"test-wazuh","node":"Test-Wazuh-Master"},"full_log":"Sep 23 12:25:16 Test-Dev sshd[17544]: Failed password for invalid user toto from XXX.XXX.XXX.XXX port 54470 ssh2","predecoder":{"program_name":"sshd","timestamp":"Sep 23 12:25:16","hostname":"Test-Dev"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"XXX.XXX.XXX.XXX","srcuser":"toto"},"location":"/var/log/auth.log"}}}'
2021/09/23 12:25:16 wazuh-execd[7027] execd.c:484 at ExecdStart(): DEBUG: Executing command 'active-response/bin/postalert.py {"version":1,"origin":{"name":"Test-Wazuh-Master","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2021-09-23T12:25:16.134+0200","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent user","id":"5710","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":36,"mail":false,"groups":["syslog","sshd","invalid_login","authentication_failed"],"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"Test-Dev","ip":"XXX.XXX.XXX.XXX"},"manager":{"name":"Test-Wazuh-Master"},"id":"1632392716.1200413","cluster":{"name":"test-wazuh","node":"Test-Wazuh-Master"},"full_log":"Sep 23 12:25:16 Test-Dev sshd[17544]: Failed password for invalid user toto from XXX.XXX.XXX.XXX port 54470 ssh2","predecoder":{"program_name":"sshd","timestamp":"Sep 23 12:25:16","hostname":"Test-Dev"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"XXX.XXX.XXX.XXX","srcuser":"toto"},"location":"/var/log/auth.log"},"program":"active-response/bin/postalert.py"}}'
2021/09/23 12:25:16 wazuh-execd[7027] execd.c:499 at ExecdStart(): DEBUG: Active response won't be added to timeout list. Message not received with alert keys from script 'active-response/bin/postalert.py'

Thank you for your help :-)
postalert.py

Alexis Rivas

unread,
Sep 24, 2021, 9:45:35 AMSep 24
to Wazuh mailing list
Hi,
Thanks for giving me this information.
I'll do few tests and give you a reply as soon as I can.

Regards,
Alexis

Alexis Rivas

unread,
Sep 24, 2021, 4:58:14 PMSep 24
to Wazuh mailing list
Hi !
After working around your script and configuration I found out a solution.
ossec.conf: few changes to set it as stateless:

<active-response>
    <disabled>no</disabled>
    <command>postalert</command>
    <location>server</location>
    <rules_id>5710,5712</rules_id>
</active-response>

<command>
    <name>postalert</name>
    <executable>postalert.py</executable>
    <timeout_allowed>no</timeout_allowed>
</command>

Script:
As the AR documentation says here: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response.html, they're a few steps to be completed at your script if you want to customize active response:
1. Read through STDIN.
2. Parse the read JSON object.
3. Extract the necessary information for its execution.
4. Write STDOUT to send control message to execd.
5. Wait for the response via STDIN.
6. Check the command field.

But if it's stateless, It's enough with 1, 2 and 3.

It's very important to keep in mind that you should read the JSON from stdin carefully since it has newline character at the end.

def run_command():
    json_dump = json.dumps(sys.stdin.readline().rstrip())
    json_b64 = base64.b64encode(json_dump.encode('utf-8'))
    URL = 'http://XXX.XXX.XXX.XXX'
    DATA = {'param':json_b64}

    ....
    ....


I tried to write DATA to a file and check if everything's fine (emulating what you do with your api) and this file keeps updating every time alert 5710 or 5712 is triggered.

Finally, you'll still be noticing this log entry: wazuh-execd[9005] execd.c:498 at ExecdStart(): DEBUG: Active response won't be added to timeout list. Message not received with alert keys from script 'active-response/bin/postalert.py' since it's an informative message.

Hope it helps!
Let me know if you need something else.

Regards
Alexis

Rémi Paeta

unread,
Sep 27, 2021, 3:44:22 AMSep 27
to Wazuh mailing list
Thank you for your help !!! :-)

It works much better !

Regards,

Rémi

Reply all
Reply to author
Forward
0 new messages