Hi again and sorry for the late response,
In the last comment I posted, I showed you an example where I used manager
and agent with Wazuh version 4.1.5.
In order to replicate your issue, I need to know the Wazuh versions you are
using in the implicated manager and agents.
I have also seen something new with the last comment you posted:
* Logs received at /var/ossec/logs/active-responses.log Friday 04
March 2022 12:38:56 PM IST /var/ossec/active-response/bin/syscheck-all.sh
add - - 1646377736.334633505 554 (assetname) 192.168.71.33->syscheck
(null) Friday 04 March 2022 12:46:26 PM IST
/var/ossec/active-response/bin/virustotal_lookup.sh add - -
1646378186.340709781 550 (assetname) 192.168.71.33->syscheck (null)*
You are using a different active response script for the rule with ID 550:
*virustotal_lookup.sh*. Have you checked your *command* and
*active-response* configurations are OK? As far as I can see, a different
active response is being triggered for rule 550.
Also and as I told you in the last comment, have a look at the *ossec.log*
file
with *execd* in debug mode. In order to enable debug mode, add the
following line to */var/ossec/etc/local_internal_options.conf*:
*execd.debug=2*
On Friday, March 4, 2022 at 11:06:00 AM UTC+1 AKSHA GANDHI wrote:
> Hi,
> Thank you for your detailed explanation.
> I would like to discuss my scenario in detail so we could have a good
> understanding on our issue.
>
> *Case1*: I will be creating a new file(march4.txt) generating rule ID 554
> and also editing an existing file(march.txt) generating rule ID 551.
> This is the configuration kept by us at server ossec.conf
> <command>
> <name>test</name>
>
> <executable>syscheck-all.sh</executable>
>
> * <expect>FILENAME</expect>*</command>
>
> Logs received at archive.log
> 2022 Mar 04 12:29:26 (assetname) 192.168.71.33->syscheck New file
> '/etc/march4.txt' added to the file system.
> 2022 Mar 04 12:31:48 (assetname) 192.168.71.33->syscheck Integrity
> checksum changed for: '/etc/march.txt'
> Logs received at /var/ossec/logs/active-responses.log
> Friday 04 March 2022 12:31:48 PM IST
> /var/ossec/active-response/bin/syscheck-all.sh add - - 1646377308.329125727
> 551 (assetname) 192.168.71.33->syscheck /etc/march.txt
>
> *Summary*: Active Response did not get triggered for RULE ID 554 in this
> scenario. I am receiving the *FILENAME* at (*$8*) for rule ID 551.
>
> *Case 2: Without FILENAME in the <except> parameter*
> I will be creating a new file(march4new.txt) generating rule ID 554 and
> also editing an existing file(march4new.txt) generating rule ID 551.
> This is the configuration kept by us at server ossec.conf
> <command>
> <name>test</name>
> <executable>syscheck-all.sh</executable>
>
> * <expect></expect>*</command>
>
> Logs received at archive.log
> 2022 Mar 04 12:38:56 (assetname) 192.168.71.33->syscheck New file
> '/etc/march4new.txt' added to the file system.
> 2022 Mar 04 12:46:26 (assetname) 192.168.71.33->syscheck Integrity
> checksum changed for: '/etc/march4new.txt'
>
> Logs received at /var/ossec/logs/active-responses.log
> Friday 04 March 2022 12:38:56 PM IST
> /var/ossec/active-response/bin/syscheck-all.sh add - - 1646377736.334633505
> 554 (assetname) 192.168.71.33->syscheck (*null*)
> Friday 04 March 2022 12:46:26 PM IST
> /var/ossec/active-response/bin/virustotal_lookup.sh add - -
> 1646378186.340709781 550 (assetname) 192.168.71.33->syscheck (*null*)
>
> *Summary*: Active response was triggered for both the rules but (*null)*
> value
> was received at position of filename
>
> Please help why active response is not getting triggered with *rule 554
> and <expect>filename</expect>*.
>
> Thanks in advance.
>
> On Thu, Mar 3, 2022 at 11:22 PM Manuel Camona Perez <manuel....@wazuh.com>
> wrote:
>
>> Hi again,
>>
>> Which Wazuh version are you using? I suppose that you are using *4.1* or
>> a previous version as from *4.2*, active response custom scripts work
>> differently.
>>
>> I have been testing your active response configuration and scripts are
>> being executed properly, as you said.
>>
>> As you can see in the following logs, your script is logging the call to
>> */var/ossec/logs/active-responses.log* for both rule with ID 550 and
>> rule with ID 554:
>>
>>
>> *Thu Mar 3 15:45:32 UTC 2022
>> /var/ossec/active-response/bin/syscheck-all.sh add - - 1646322332.560567
>> 550 syscheck /test/b -Thu Mar 3 15:45:34 UTC 2022
>> /var/ossec/active-response/bin/syscheck-all.sh add - - 1646322334.560819
>> 554 syscheck /test/c -*
>>
>>
>> This is the output of doing
>>
>>
>> *printf "$(date) $0 $1 $2 $3 $4 $5 $6 $7 $8\n" >>
>> ${PWD}/../logs/active-responses.log*
>> in *syscheck-all.sh* (line 37
>> <https://github.com/jonschipp/nsm-tools/blob/bc465038bfeb215ca54b67bb4170d607327d0436/syscheck-all.sh#L37>
>> )
>>
>> We can see that each script argument refers to a component. These
>> arguments are the following (in this order) (ref:
>> https://documentation.wazuh.com/4.1/user-manual/capabilities/active-response/remediation-faq.html#can-i-use-a-custom-script-for-active-responses
>> ):
>>
>>
>>
>> *<SCRIPT-NAME> <ACTION> <USER> <IP> <ALERT-ID> <RULE-ID> <AGENT>
>> <FILENAME>*
>>
>> *<SCRIPT-NAME>* is the name of the script file that is going to be run.
>>
>> *<ACTION>* can be delete or add.
>>
>> *<USER>* is the user name. It can be - if not set.
>>
>> *<IP>* is the source IP. It can be - if not set.
>>
>> *<ALERT-ID>* is the alert ID (unique for every alert).
>>
>> *<RULE-ID>* is the rule ID.
>>
>> *<AGENT>* is the agent ID or hostname.
>>
>> *<FILENAME>* is the source path file of the log that triggered the alert
>> (if it exists).
>>
>> With this information, we know that
>>
>> - $0 is the script name: /var/ossec/active-response/bin/syscheck-all.sh
>> - $1 is the action: add
>> - $2 is the user: -
>> - $3 is the IP: -
>> - $4 is the alert ID: 1646322332.560567 and 1646322334.560819
>> - $5 is the rule ID: 550 and 554
>> - $6 is the agent: syscheck
>> - $7 is the filename: /test/b and /test/c
>>
>>
>> Note that in this case, we have the *service* (*syscheck*) instead of
>> *agent* because we are using *syscheck* rules.
>>
>>
>> Summarizing, I am receiving the *FILENAME* for both rules (*$7*).
>>
>>
>> What is being logged in your agents'
>> */var/ossec/logs/active-responses.log* file? Having a look at that
>> output will help you know which argument is the *filename*. In your
>> script, *filename* is expected to be *$8*. You can confirm whether
>> *filename* is at *$8* or not by having a look at the log file, as I said.
>>
>> I hope this helps, please if you have more problems, send the
>> */var/ossec/logs/active-responses.log* output. Also, have a look at the
>> *ossec.log* file with *execd* in debug mode (how to enable debug mode is
>> in the last comment).
>>
>> On Thursday, March 3, 2022 at 2:11:39 PM UTC+1 AKSHA GANDHI wrote:
>>
>>> Hi,
>>> We are using AlienVault Version: OSSIM 5.7.4
>>> For scripts we are referring to :
>>> https://github.com/jonschipp/nsm-tools/
>>> The script is getting executed but we are not receiving FILENAME
>>> parameter when RULE ID 554 is getting triggered.
>>>
>>> Thanks in advance.
>>>
>>> On Thu, Mar 3, 2022 at 5:45 PM Manuel Camona Perez <manuel....@wazuh.com>
>>> wrote:
>>>
>>>> Hi Aksha and sorry for the late response,
>>>>
>>>> I will try to help you solve this issue. I need some information to
>>>> test your use case and see what is happening.
>>>>
>>>> First of all, could you tell me which Wazuh version you are using?
>>>> Also, it would be fine if you send the active response script you are
>>>> trying to execute.
>>>>
>>>> In order to troubleshoot this, I recommend that you enable the debug
>>>> mode for the *execd* daemon, which is the one in charge of executing
>>>> active response scripts. In order to do it, add the following line to
>>>> */var/ossec/etc/local_internal_options.conf*:
>>>>
>>>>
>>>> *execd.debug=2*
>>>> Waiting for your response!
>>>>
>>>> On Wednesday, March 2, 2022 at 7:16:14 AM UTC+1 AKSHA GANDHI wrote:
>>>>
>>> Hi Ossec Team,
>>>>>
>>>>> Can anyone please review this and help.
>>>>>
>>>>> Thanks in Advance.
>>>>> Aksha
>>>>> On Friday, February 25, 2022 at 7:17:18 PM UTC+5:30 AKSHA GANDHI wrote:
>>>>>
>>>>>> Hi,
>>>>>> 1. Active response is getting triggered for both Rule ID 550,554 if
>>>>>> <expect> parameter is kept blank. 2.If <expect> parameter is given
>>>>>> value FILENAME then active response is not getting triggered for RULE ID
>>>>>> 554 but is getting triggered for RULE ID 550. 3. Not receiving any
>>>>>> error logs. 4. Kindly find the details of the ossec.conf file for
>>>>>> which Active response is not getting trigerred for RULE ID 554.
>>>>>>
>>>>>> ---- ossec.conf -----
>>>>>> <command> <name>Test</name> <executable>syscheck-all.sh</executable>
>>>>>> <expect>FILENAME</expect> </command> <active-response>
>>>>>> <disabled>no</disabled> <command>Test</command>
>>>>>> <location>defined-agent</location> <agent_id>78</agent_id>
>>>>>> <rules_id>554,550</rules_id> </active-response>
>>>>>>
>>>>>> --- ossec.conf ---
>>>>>> Please help troubleshot the issue.
>>>>>>
>>>>>> Thanks & Regards
>>>>>> Aksha
>>>>>>
>>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to ossec-list+...@googlegroups.com.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/ossec-list/70ad8924-11df-43cb-a543-5ca4f96a40a0n%40googlegroups.com
>>>>
>>>> <https://groups.google.com/d/msgid/ossec-list/70ad8924-11df-43cb-a543-5ca4f96a40a0n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>>
>>> Disclaimer: Privileged & confidential information is contained in this
>>> message (including all attachments). If you are not an intended recipient
>>> of this message, please destroy this message immediately and kindly notify
>>> the sender by reply e-mail. Any unauthorized use or dissemination of this
>>> message in any manner whatsoever, in whole or in part, is strictly
>>> prohibited. This e-mail, including all attachments hereto, is for
>>> discussion purposes only and shall not be deemed or construed otherwise
>>> unless expressly stated. Any views or opinions presented in this email are
>>> solely those of the author and do not necessarily represent that of NJ
>>> Group of Companies. This communication, including any attachments may not
>>> be free of viruses, interceptions or interference, and may not be
>>> compatible with your systems. You should carry out your own virus checks
>>> before opening any attachment to this e-mail. The sender of this e-mail and
>>> NJ Group of Companies shall not be liable for any damage that you may
>>> sustain as a result of viruses, incompleteness of this message, a delay in
>>> receipt of this message or computer problems experienced. This message has
>>> been scanned for viruses and dangerous content by NJGroup Email Server, and
>>> is believed to be clean.
>>>
>>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+...@googlegroups.com.
>>
> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ossec-list/bc1bd211-4255-4fa7-b8d6-f519dc5a225bn%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/ossec-list/bc1bd211-4255-4fa7-b8d6-f519dc5a225bn%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>
> Disclaimer: Privileged & confidential information is contained in this
> message (including all attachments). If you are not an intended recipient
> of this message, please destroy this message immediately and kindly notify
> the sender by reply e-mail. Any unauthorized use or dissemination of this
> message in any manner whatsoever, in whole or in part, is strictly
> prohibited. This e-mail, including all attachments hereto, is for
> discussion purposes only and shall not be deemed or construed otherwise
> unless expressly stated. Any views or opinions presented in this email are
> solely those of the author and do not necessarily represent that of NJ
> Group of Companies. This communication, including any attachments may not
> be free of viruses, interceptions or interference, and may not be
> compatible with your systems. You should carry out your own virus checks
> before opening any attachment to this e-mail. The sender of this e-mail and
> NJ Group of Companies shall not be liable for any damage that you may
> sustain as a result of viruses, incompleteness of this message, a delay in
> receipt of this message or computer problems experienced. This message has
> been scanned for viruses and dangerous content by NJGroup Email Server, and
> is believed to be clean.
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/45009299-cbf6-4d25-8470-081e60d07c39n%40googlegroups.com.
