Re: [ossec-list] Re: Active response not working for rule_id 554 with "filename" as expect

[Manuel Camona Perez]

Hi again and sorry for the late response,

In the last comment I posted, I showed you an example where I used manager 
and agent with Wazuh version 4.1.5. 

In order to replicate your issue, I need to know the Wazuh versions you are 
using in the implicated manager and agents.

I have also seen something new with the last comment you posted:



* Logs received at  /var/ossec/logs/active-responses.log Friday 04 
March 2022 12:38:56 PM IST /var/ossec/active-response/bin/syscheck-all.sh 
add - - 1646377736.334633505 554 (assetname) 192.168.71.33->syscheck 
(null) Friday 04 March 2022 12:46:26 PM IST 
/var/ossec/active-response/bin/virustotal_lookup.sh add - - 
1646378186.340709781 550 (assetname) 192.168.71.33->syscheck (null)*

You are using a different active response script for the rule with ID 550: 
*virustotal_lookup.sh*. Have you checked your *command* and 
*active-response* configurations are OK? As far as I can see, a different 
active response is being triggered for rule 550.

Also and as I told you in the last comment,  have a look at the *ossec.log* 
file 
with *execd* in debug mode. In order to enable debug mode, add the 
following line to */var/ossec/etc/local_internal_options.conf*:

*execd.debug=2*


On Friday, March 4, 2022 at 11:06:00 AM UTC+1 AKSHA GANDHI wrote:

> Hi, 
> Thank you for your detailed explanation.
> I would like to discuss my scenario in detail so we could have a good 
> understanding on our issue.
>
> *Case1*: I will be creating a new file(march4.txt) generating rule ID 554 
> and also editing an existing file(march.txt) generating rule ID 551.
> This is the configuration kept by us at server ossec.conf
> 
>   test
>
>   syscheck-all.sh
>
> *  FILENAME*
>
> Logs received at archive.log
>  2022 Mar 04 12:29:26 (assetname) 192.168.71.33->syscheck New file 
> '/etc/march4.txt' added to the file system.
>  2022 Mar 04 12:31:48 (assetname) 192.168.71.33->syscheck Integrity 
> checksum changed for: '/etc/march.txt'
> Logs received at  /var/ossec/logs/active-responses.log
>   Friday 04 March 2022 12:31:48 PM IST 
> /var/ossec/active-response/bin/syscheck-all.sh add - - 1646377308.329125727 
> 551 (assetname) 192.168.71.33->syscheck /etc/march.txt
>
> *Summary*: Active Response did not get triggered for RULE ID 554 in this 
> scenario. I am receiving the *FILENAME* at (*$8*) for rule ID 551.
>
> *Case 2: Without FILENAME in the  parameter*
>  I will be creating a new file(march4new.txt) generating rule ID 554 and 
> also editing an existing file(march4new.txt) generating rule ID 551.
> This is the configuration kept by us at server ossec.conf
> 
>   test
>   syscheck-all.sh
>
> *  *
>
> Logs received at archive.log
>   2022 Mar 04 12:38:56 (assetname) 192.168.71.33->syscheck New file 
> '/etc/march4new.txt' added to the file system.
>   2022 Mar 04 12:46:26 (assetname) 192.168.71.33->syscheck Integrity 
> checksum changed for: '/etc/march4new.txt'
>
> Logs received at  /var/ossec/logs/active-responses.log
>   Friday 04 March 2022 12:38:56 PM IST 
> /var/ossec/active-response/bin/syscheck-all.sh add - - 1646377736.334633505 
> 554 (assetname) 192.168.71.33->syscheck (*null*)
>  Friday 04 March 2022 12:46:26 PM IST 
> /var/ossec/active-response/bin/virustotal_lookup.sh add - - 
> 1646378186.340709781 550 (assetname) 192.168.71.33->syscheck (*null*)
>
> *Summary*: Active response was triggered for both the rules but (*null)* 
> value 
> was received at position of filename
>
> Please help why active response is not getting triggered with *rule 554 
> and filename*.
>
> Thanks in advance.
>
> On Thu, Mar 3, 2022 at 11:22 PM Manuel Camona Perez  
> wrote:
>
>> Hi again,
>>
>> Which Wazuh version are you using? I suppose that you are using *4.1* or 
>> a previous version as from *4.2*, active response custom scripts work 
>> differently.
>>
>> I have been testing your active response configuration and scripts are 
>> being executed properly, as you said.
>>
>> As you can see in the following logs, your script is logging the call to 
>> */var/ossec/logs/active-responses.log* for both rule with ID 550 and 
>> rule with ID 554:
>>
>>
>> *Thu Mar  3 15:45:32 UTC 2022 
>> /var/ossec/active-response/bin/syscheck-all.sh add - - 1646322332.560567 
>> 550 syscheck /test/b -Thu Mar  3 15:45:34 UTC 2022 
>> /var/ossec/active-response/bin/syscheck-all.sh add - - 1646322334.560819 
>> 554 syscheck /test/c -*
>>
>>
>> This is the output of doing 
>>
>>
>> *printf "$(date) $0 $1 $2 $3 $4 $5 $6 $7 $8\n" >> 
>> ${PWD}/../logs/active-responses.log*
>> in *syscheck-all.sh* (line 37 
>> 
>> )
>>
>> We can see that each script argument refers to a component. These 
>> arguments are the following (in this order) (ref: 
>> https://documentation.wazuh.com/4.1/user-manual/capabilities/active-response/remediation-faq.html#can-i-use-a-custom-script-for-active-responses
>> ):

Re: [ossec-list] Re: Active response not working for rule_id 554 with "filename" as expect

['Aksha Gandhi | Information Security' via ossec-list]

Hi,
Thank you for your detailed explanation.
I would like to discuss my scenario in detail so we could have a good
understanding on our issue.

*Case1*: I will be creating a new file(march4.txt) generating rule ID 554
and also editing an existing file(march.txt) generating rule ID 551.
This is the configuration kept by us at server ossec.conf

  test
  syscheck-all.sh

*  FILENAME*

Logs received at archive.log
 2022 Mar 04 12:29:26 (assetname) 192.168.71.33->syscheck New file
'/etc/march4.txt' added to the file system.
 2022 Mar 04 12:31:48 (assetname) 192.168.71.33->syscheck Integrity
checksum changed for: '/etc/march.txt'
Logs received at  /var/ossec/logs/active-responses.log
  Friday 04 March 2022 12:31:48 PM IST
/var/ossec/active-response/bin/syscheck-all.sh add - - 1646377308.329125727
551 (assetname) 192.168.71.33->syscheck /etc/march.txt

*Summary*: Active Response did not get triggered for RULE ID 554 in this
scenario. I am receiving the *FILENAME* at (*$8*) for rule ID 551.

*Case 2: Without FILENAME in the  parameter*
 I will be creating a new file(march4new.txt) generating rule ID 554 and
also editing an existing file(march4new.txt) generating rule ID 551.
This is the configuration kept by us at server ossec.conf

  test
  syscheck-all.sh

*  *

Logs received at archive.log
  2022 Mar 04 12:38:56 (assetname) 192.168.71.33->syscheck New file
'/etc/march4new.txt' added to the file system.
  2022 Mar 04 12:46:26 (assetname) 192.168.71.33->syscheck Integrity
checksum changed for: '/etc/march4new.txt'

Logs received at  /var/ossec/logs/active-responses.log
  Friday 04 March 2022 12:38:56 PM IST
/var/ossec/active-response/bin/syscheck-all.sh add - - 1646377736.334633505
554 (assetname) 192.168.71.33->syscheck (*null*)
 Friday 04 March 2022 12:46:26 PM IST
/var/ossec/active-response/bin/virustotal_lookup.sh add - -
1646378186.340709781 550 (assetname) 192.168.71.33->syscheck (*null*)

*Summary*: Active response was triggered for both the rules but (*null)* value
was received at position of filename

Please help why active response is not getting triggered with *rule 554 and
filename*.

Thanks in advance.

On Thu, Mar 3, 2022 at 11:22 PM Manuel Camona Perez <
manuel.carm...@wazuh.com> wrote:

> Hi again,
>
> Which Wazuh version are you using? I suppose that you are using *4.1* or
> a previous version as from *4.2*, active response custom scripts work
> differently.
>
> I have been testing your active response configuration and scripts are
> being executed properly, as you said.
>
> As you can see in the following logs, your script is logging the call to
> */var/ossec/logs/active-responses.log* for both rule with ID 550 and rule
> with ID 554:
>
>
> *Thu Mar  3 15:45:32 UTC 2022
> /var/ossec/active-response/bin/syscheck-all.sh add - - 1646322332.560567
> 550 syscheck /test/b -Thu Mar  3 15:45:34 UTC 2022
> /var/ossec/active-response/bin/syscheck-all.sh add - - 1646322334.560819
> 554 syscheck /test/c -*
>
>
> This is the output of doing
>
>
> *printf "$(date) $0 $1 $2 $3 $4 $5 $6 $7 $8\n" >>
> ${PWD}/../logs/active-responses.log*
> in *syscheck-all.sh* (line 37
> 
> )
>
> We can see that each script argument refers to a component. These
> arguments are the following (in this order) (ref:
> https://documentation.wazuh.com/4.1/user-manual/capabilities/active-response/remediation-faq.html#can-i-use-a-custom-script-for-active-responses
> ):
>
>
>
> *  
> *
>
> ** is the name of the script file that is going to be run.
>
> ** can be delete or add.
>
> ** is the user name. It can be - if not set.
>
> ** is the source IP. It can be - if not set.
>
> ** is the alert ID (unique for every alert).
>
> ** is the rule ID.
>
> ** is the agent ID or hostname.
>
> ** is the source path file of the log that triggered the alert
> (if it exists).
>
> With this information, we know that
>
> - $0 is the script name: /var/ossec/active-response/bin/syscheck-all.sh
> - $1 is the action: add
> - $2 is the user: -
> - $3 is the IP: -
> - $4 is the alert ID: 1646322332.560567 and 1646322334.560819
> - $5 is the rule ID: 550 and 554
> - $6 is the agent: syscheck
> - $7 is the filename: /test/b and /test/c
>
>
> Note that in this case, we have the *service* (*syscheck*) instead of
> *agent* because we are using *syscheck* rules.
>
>
> Summarizing, I am receiving the *FILENAME* for both rules (*$7*).
>
>
> What is being logged in your agents'
> */var/ossec/logs/active-responses.log* file? Having a look at that output
> will help you know which argument is the *filename*. In your script,
> *filename* is expected to be *$8*. You can confirm whether *filename* is
> at *$8* or not by having a look at the log file, as I said.
>
> I hope this helps, please if you have more problems, send the
> */var/ossec/logs/active-responses.log* output. Also, have a look at the
> *ossec.log* file with *execd* in 

Re: [ossec-list] Re: Active response not working for rule_id 554 with "filename" as expect

[Manuel Camona Perez]

Hi again,

Which Wazuh version are you using? I suppose that you are using *4.1* or a 
previous version as from *4.2*, active response custom scripts work 
differently.

I have been testing your active response configuration and scripts are 
being executed properly, as you said.

As you can see in the following logs, your script is logging the call to 
*/var/ossec/logs/active-responses.log* for both rule with ID 550 and rule 
with ID 554:


*Thu Mar  3 15:45:32 UTC 2022 
/var/ossec/active-response/bin/syscheck-all.sh add - - 1646322332.560567 
550 syscheck /test/b -Thu Mar  3 15:45:34 UTC 2022 
/var/ossec/active-response/bin/syscheck-all.sh add - - 1646322334.560819 
554 syscheck /test/c -*


This is the output of doing 


*printf "$(date) $0 $1 $2 $3 $4 $5 $6 $7 $8\n" >> 
${PWD}/../logs/active-responses.log*
in *syscheck-all.sh* (line 37 

)

We can see that each script argument refers to a component. These arguments 
are the following (in this order) (ref: 
https://documentation.wazuh.com/4.1/user-manual/capabilities/active-response/remediation-faq.html#can-i-use-a-custom-script-for-active-responses
):



*   *

** is the name of the script file that is going to be run.

** can be delete or add.

** is the user name. It can be - if not set.

** is the source IP. It can be - if not set.

** is the alert ID (unique for every alert).

** is the rule ID.

** is the agent ID or hostname.

** is the source path file of the log that triggered the alert 
(if it exists).

With this information, we know that

- $0 is the script name: /var/ossec/active-response/bin/syscheck-all.sh
- $1 is the action: add
- $2 is the user: -
- $3 is the IP: -
- $4 is the alert ID: 1646322332.560567 and 1646322334.560819
- $5 is the rule ID: 550 and 554
- $6 is the agent: syscheck
- $7 is the filename: /test/b and /test/c


Note that in this case, we have the *service* (*syscheck*) instead of 
*agent* because we are using *syscheck* rules.


Summarizing, I am receiving the *FILENAME* for both rules (*$7*). 


What is being logged in your agents' */var/ossec/logs/active-responses.log* 
file? Having a look at that output will help you know which argument is the 
*filename*. In your script, *filename* is expected to be *$8*. You can 
confirm whether *filename* is at *$8* or not by having a look at the log 
file, as I said.

I hope this helps, please if you have more problems, send the 
*/var/ossec/logs/active-responses.log* output. Also, have a look at the 
*ossec.log* file with *execd* in debug mode (how to enable debug mode is in 
the last comment).

On Thursday, March 3, 2022 at 2:11:39 PM UTC+1 AKSHA GANDHI wrote:

> Hi,
> We are using AlienVault Version: OSSIM 5.7.4
> For scripts we are referring to : https://github.com/jonschipp/nsm-tools/
> The script is getting executed but we are not receiving FILENAME parameter 
> when RULE ID 554 is getting triggered.
>
> Thanks in advance.
>
> On Thu, Mar 3, 2022 at 5:45 PM Manuel Camona Perez  
> wrote:
>
>> Hi Aksha and sorry for the late response,
>>
>> I will try to help you solve this issue. I need some information to test 
>> your use case and see what is happening. 
>>
>> First of all, could you tell me which Wazuh version you are using? Also, 
>> it would be fine if you send the active response script you are trying to 
>> execute.
>>
>> In order to troubleshoot this, I recommend that you enable the debug mode 
>> for the *execd* daemon, which is the one in charge of executing active 
>> response scripts. In order to do it, add the following line to 
>> */var/ossec/etc/local_internal_options.conf*:
>>
>>
>> *execd.debug=2*
>> Waiting for your response!
>>
>> On Wednesday, March 2, 2022 at 7:16:14 AM UTC+1 AKSHA GANDHI wrote:
>>
> Hi Ossec Team, 
>>>
>>> Can anyone please review this and help.
>>>
>>> Thanks in Advance.
>>> Aksha 
>>> On Friday, February 25, 2022 at 7:17:18 PM UTC+5:30 AKSHA GANDHI wrote:
>>>
 Hi,
 1. Active response is getting triggered for both Rule ID 550,554 if 
  parameter is kept blank. 2.If  parameter  is given 
 value FILENAME then active response is not getting triggered for RULE ID 
 554 but is getting triggered for RULE ID 550. 3. Not receiving any 
 error logs. 4. Kindly find the details of the ossec.conf file for 
 which Active response is not getting trigerred for RULE ID 554.

  ossec.conf -
  Test syscheck-all.sh 
 FILENAME   
 no Test 
 defined-agent 78 
 554,550 

 --- ossec.conf ---
 Please help troubleshot the issue.

 Thanks & Regards
 Aksha

>>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com.
>> To view this discussion on the web visit 
>> 

Re: [ossec-list] Re: Active response not working for rule_id 554 with "filename" as expect

['Aksha Gandhi | Information Security' via ossec-list]

Hi,
We are using AlienVault Version: OSSIM 5.7.4
For scripts we are referring to : https://github.com/jonschipp/nsm-tools/
The script is getting executed but we are not receiving FILENAME parameter
when RULE ID 554 is getting triggered.

Thanks in advance.

On Thu, Mar 3, 2022 at 5:45 PM Manuel Camona Perez 
wrote:

> Hi Aksha and sorry for the late response,
>
> I will try to help you solve this issue. I need some information to test
> your use case and see what is happening.
>
> First of all, could you tell me which Wazuh version you are using? Also,
> it would be fine if you send the active response script you are trying to
> execute.
>
> In order to troubleshoot this, I recommend that you enable the debug mode
> for the *execd* daemon, which is the one in charge of executing active
> response scripts. In order to do it, add the following line to
> */var/ossec/etc/local_internal_options.conf*:
>
>
> *execd.debug=2*
> Waiting for your response!
>
> On Wednesday, March 2, 2022 at 7:16:14 AM UTC+1 AKSHA GANDHI wrote:
>
>> Hi Ossec Team,
>>
>> Can anyone please review this and help.
>>
>> Thanks in Advance.
>> Aksha
>> On Friday, February 25, 2022 at 7:17:18 PM UTC+5:30 AKSHA GANDHI wrote:
>>
>>> Hi,
>>> 1. Active response is getting triggered for both Rule ID 550,554 if
>>>  parameter is kept blank. 2.If  parameter  is given
>>> value FILENAME then active response is not getting triggered for RULE ID
>>> 554 but is getting triggered for RULE ID 550. 3. Not receiving any
>>> error logs. 4. Kindly find the details of the ossec.conf file for which
>>> Active response is not getting trigerred for RULE ID 554.
>>>
>>>  ossec.conf -
>>>  Test syscheck-all.sh
>>> FILENAME  
>>> no Test
>>> defined-agent 78
>>> 554,550 
>>>
>>> --- ossec.conf ---
>>> Please help troubleshot the issue.
>>>
>>> Thanks & Regards
>>> Aksha
>>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/70ad8924-11df-43cb-a543-5ca4f96a40a0n%40googlegroups.com
> 
> .
>

-- 
Disclaimer: Privileged & confidential information is contained in this 
message (including all attachments). If you are not an intended recipient 
of this message, please destroy this message immediately and kindly notify 
the sender by reply e-mail. Any unauthorized use or dissemination of this 
message in any manner whatsoever, in whole or in part, is strictly 
prohibited. This e-mail, including all attachments hereto, is for 
discussion purposes only and shall not be deemed or construed otherwise 
unless expressly stated. Any views or opinions presented in this email are 
solely those of the author and do not necessarily represent that of NJ 
Group of Companies. This communication, including any attachments may not 
be free of viruses, interceptions or interference, and may not be 
compatible with your systems. You should carry out your own virus checks 
before opening any attachment to this e-mail. The sender of this e-mail and 
NJ Group of Companies shall not be liable for any damage that you may 
sustain as a result of viruses, incompleteness of this message, a delay in 
receipt of this message or computer problems experienced. This message has 
been scanned for viruses and dangerous content by NJGroup Email Server, and 
is believed to be clean.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CADrFDiPVGvF8sNGQb3v7CMvATbJqosUX4ctvYXbM8vjk2qGdTA%40mail.gmail.com.