Wazuh active response is not working.

[Dang Binh An]

Hello,

I would like to inquire about using the active response feature in Wazuh. I have created a Python file on the Wazuh Windows agent as follows:

#!/usr/bin/python3 import os import sys import datetime if os.name == 'nt': LOG_FILE = "C:\\Program Files (x86)\\ossec-agent\\active-response\\active-responses.log" else: LOG_FILE = "/var/ossec/logs/active-responses.log" OS_SUCCESS = 0 OS_INVALID = -1 def write_debug_file(msg): with open(LOG_FILE, mode="a") as log_file: log_file.write(str(datetime.datetime.now().strftime('%Y/%m/%d %H:%M:%S')) + ": " + msg + "\n") def main(): if len(sys.argv) != 2: print("Usage: python3 delete_file.py [file_to_delete]") sys.exit(OS_INVALID) file_to_delete = sys.argv[1] write_debug_file("Started delete_file.py") try: if os.path.exists(file_to_delete): os.remove(file_to_delete) write_debug_file(f"Successfully removed file: {file_to_delete}") print(f"Successfully removed file: {file_to_delete}") else: write_debug_file(f"File does not exist: {file_to_delete}") print(f"File does not exist: {file_to_delete}") except OSError as error: write_debug_file(f"Error removing file: {file_to_delete} - {error}") print(f"Error removing file: {file_to_delete} - {error}") sys.exit(OS_INVALID) write_debug_file("Ended delete_file.py") sys.exit(OS_SUCCESS) if __name__ == "__main__": main()

Then, I used PyInstaller to compile the Python file into an .exe file, and then moved that file into the directory C:\Program Files (x86)\ossec-agent\active-response\bin, and finally restarted the Wazuh agent.
On the Wazuh manager, I configured it as follows:

<command> <name>remove</name> <executable>delete_file.exe</executable> <timeout_allowed>no</timeout_allowed> </command> <active-response> <disabled>no</disabled> <command>remove</command> <location>local</location> </active-response>

After restarting the Wazuh manager, I tried using the Wazuh API to trigger the active response on the Wazuh agent as follows:

However, it seems that the Wazuh agent is not receiving the arguments. What should I do? Thanks <3

[Chantal Belen Kelm]

Hi, assuming you followed some guide to add a custom active response and you configured correctly the script, you should check the active response is being called, maybe the configuration to trigger the active response script is not configured correctly.

1. Increase the verbosity of execd daemon.
Edit the local_internal_options.conf with:
execd.debug=2

VERY IMPORTANT is that once you don't need it, deactivate it, since it generates a high amount of data and can occupy a large part of your storage space, even bringing problems in the future.

2. Restart the Wazuh server/agent you changed the internal option in the previous step.

3. Force the action that should trigger the active response.

4. Ensure the script is executed reviewing the logs of the Wazuh server/agent that runs the active response ( logs/ossec.log ). 

For example:

2024/07/22 08:05:22 wazuh-execd[6623] execd.c:256 at ExecdRun(): DEBUG: Executing command 'active-response/bin/custom-ar.py {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2024-07-22T08:05:22.650+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh.manager"},"manager":{"name":"wazuh.manager"},"id":"1721635522.2784","full_log":"File '/tmp/test3' added\nMode: realtime\n","syscheck":{"path":"/tmp/test3","mode":"realtime","size_after":"0","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"d41d8cd98f00b204e9800998ecf8427e","sha1_after":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256_after":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","uname_after":"root","gname_after":"root","mtime_after":"2024-07-22T08:05:22","inode_after":8677611,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"},"program":"active-response/bin/custom-ar.py"}}'

Remember to cover all sensitive information in the information you share.

References:

- Custom active response capability: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response-scripts.html
- Active response configuration: https://documentation.wazuh.com/4.8/user-manual/reference/ossec-conf/active-response.html#rules-group

[Dang Binh An]

I have enabled debug mode on the Windows agent and this is the log I obtained when invoking the Wazuh API response:

2024/07/30 08:40:44 wazuh-agent[2544] receiver.c:97 at receive_msg(): DEBUG: Received message: '#!-req bd523b81 com getconfig active-response'
2024/07/30 08:40:44 wazuh-agent[2544] request.c:337 at req_receiver(): DEBUG: req_receiver(): sending '#!-req bd523b81 ok  {"active-response":{"disabled":"no"}}' to server
2024/07/30 08:40:44 wazuh-agent[2544] receiver.c:97 at receive_msg(): DEBUG: Received message: '#!-execd {"version": 1, "origin": {"name": null, "module": "framework"}, "command": "remove0", "parameters": {"extra_args": ["C:\\test\\file.txt"], "alert": {}}}'
2024/07/30 08:40:44 wazuh-agent[2544] execd.c:256 at ExecdRun(): DEBUG: Executing command 'active-response/bin/delete_file.exe {"version":1,"origin":{"name":null,"module":"wazuh-execd"},"command":"add","parameters":{"extra_args":["C:\\test\\file.txt"],"alert":{},"program":"active-response/bin/delete_file.exe"}}'
2024/07/30 08:40:44 wazuh-agent[2544] exec_op.c:131 at wpopenv(): DEBUG: path = 'active-response/bin/delete_file.exe', command = '"active-response/bin/delete_file.exe"'

However, the file.txt was still not deleted by the system. Can you give me some advice?"

[Chantal Belen Kelm]

Are these all the logs? or have you copied and sent a part of them?

2024/07/30 08:40:44 wazuh-agent[2544] receiver.c:97 at receive_msg(): DEBUG: Received message: '#!-req bd523b81 com getconfig active-response'
2024/07/30 08:40:44 wazuh-agent[2544] request.c:337 at req_receiver(): DEBUG: req_receiver(): sending '#!-req bd523b81 ok  {"active-response":{"disabled":"no"}}' to server
2024/07/30 08:40:44 wazuh-agent[2544] receiver.c:97 at receive_msg(): DEBUG: Received message: '#!-execd {"version": 1, "origin": {"name": null, "module": "framework"}, "command": "remove0", "parameters": {"extra_args": ["C:\\test\\file.txt"], "alert": {}}}'
2024/07/30 08:40:44 wazuh-agent[2544] execd.c:256 at ExecdRun(): DEBUG: Executing command 'active-response/bin/delete_file.exe {"version":1,"origin":{"name":null,"module":"wazuh-execd"},"command":"add","parameters":{"extra_args":["C:\\test\\file.txt"],"alert":{},"program":"active-response/bin/delete_file.exe"}}'
2024/07/30 08:40:44 wazuh-agent[2544] exec_op.c:131 at wpopenv(): DEBUG: path = 'active-response/bin/delete_file.exe', command = '"active-response/bin/delete_file.exe"'

From what I see in the logs Wazuh is running the script, it is the script that is not working.

You could look at the logs of the script itself, in the files you declared:

LOG_FILE = "C:\\Program Files (x86)\\ossec-agent\\active-response\\active-responses.log" LOG_FILE = "/var/ossec/logs/active-responses.log"

You could also add more log messages along the script to give you more information about what is happening in the script step by step to identify where the error is.