Hi, I enabled execd.debug = 2. In ossec logs *Read 0 lines from active-response\active-response.log, *these logs are seen several times. Also I checked */var/ossec/logs/alerts/alerts.log *file, basic logs for windows are getting generated but logs for wrong password events are not generated.
On Mon, May 23, 2022 at 1:01 PM Manuel Camona Perez < manuel.carm...@wazuh.com> wrote: > Hi again, could you have a look at the events generated when you are > reproducing the use case? Note that if the appropriate events (wrong > password attempts) are not being generated, no AR script will be executed. > These events can be found at */var/ossec/logs/alerts/alerts.log*. > > In order to troubleshoot, you could also enable debug mode for the execd > daemon of your Wazuh agent. To do this, add the following line: > > > *execd.debug=2* > > to the agent's *local_internal_options.conf* file. > > Also, have a look at > https://documentation.wazuh.com/3.13/learning-wazuh/shellshock.html#ar-scenario-3-make-windows-null-route-the-attacker, > this documentation page will help you troubleshoot the possible errors as > it explains a very similar use case. > > > > On Sunday, May 22, 2022 at 9:21:37 AM UTC+2 annie...@gmail.com wrote: > >> Hi Manuel, >> In my use case , Centos is the manager. I have only one wazuh agent i.e >> my windows machine, it is my victim. I have another Windows machine as the >> attacker. I am trying to RDP the machine with wrong password attempts. So >> in that case AR should get generated along with scrip field , but it is >> not. Also I tried using <location>local</location> but no success. >> >> >> >> On Tue, May 10, 2022 at 1:00 PM Manuel Camona Perez <manuel....@wazuh.com> >> wrote: >> >>> Hi Annie, >>> >>> As I can see in the command configuration, you used the *expect* option >>> with *srcip*. This means that the alert generated that triggered active >>> response must have a *srcip* field as the *srcip* value will be used in >>> the script. >>> >>> In the active response configuration, you used the *level* option with >>> value *5*. This means that all the alerts with level equal or higher >>> than 5 will trigger the active response script. >>> >>> Taking these 2 statements into account, the following could be >>> happening: an event with level>=5 but without srcip field is being >>> generated, and therefore, the active response script is not being executed. >>> Could you check this? >>> >>> Also, note that you are using *all* in the *location* option. This >>> means that the active response script will be executed for all agents when >>> AR is triggered. The *all* option should be used with caution because >>> maybe this is not the use case you are looking for. If you use *local*, >>> the AR script is executed on the agent that generated the event. If you use >>> *server*, the AR script is run on the manager the agent is reporting >>> to. You can find more information about this option here >>> <https://documentation.wazuh.com/3.13/user-manual/reference/ossec-conf/active-response.html#location> >>> . >>> >>> On Sunday, May 1, 2022 at 2:20:01 PM UTC+2 annie...@gmail.com wrote: >>> >>>> Hi all, >>>> This is my active response configuration on centos server: >>>> >>>> <command> >>>> <name>win_nullroute</name> >>>> <executable>route-null.cmd</executable> >>>> <expect>srcip</expect> >>>> <timeout_allowed>yes</timeout_allowed> >>>> </command> >>>> >>>> <active-response> >>>> <disabled>no</disabled> >>>> <command>win_nullroute</command> >>>> <location>all</location> >>>> <level>5</level> >>>> <timeout>60</timeout> >>>> </active-response> >>>> >>>> I have enabled AR on windows agent, but it is not executed when an >>>> event of level>=5 is fired. >>>> I am using wazuh 3.13 version, windows 10 >>>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ossec-list/4833a5ab-2fce-49e3-9f00-0b2d2755d937n%40googlegroups.com >>> <https://groups.google.com/d/msgid/ossec-list/4833a5ab-2fce-49e3-9f00-0b2d2755d937n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/37ce5346-5191-40d9-813c-ffe25bd03f49n%40googlegroups.com > <https://groups.google.com/d/msgid/ossec-list/37ce5346-5191-40d9-813c-ffe25bd03f49n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAD4jYXLq52cuZeX8W3bQWT6gZau6j%2Bbhe4MTZ6gJ7YmRrTNm_A%40mail.gmail.com.