Page 1 of 1

Active Response does not want to work

Posted: Sat Jan 16, 2021 6:38 am
by karamanid
Hello everybody,

I have a little problem with my OSSEC. I am currently creating a personal project to detect the PHP files in the / var / www / html folder that were created, but the active-response system does not want to detect this. My decoder does present like this.

Code: Select all

Fri 15 Jan 2021 08:13:09 PM INFO: /var/www/html/[aasfgdgd.php g.php test.php ]
And I embed the regex in the decoder.xml file.

Code: Select all

<decoder name="php-check-log"> 
  <prematch>^\S+ \S+ \S+ \S+ \S+ \S+ \S+: \S+</prematch>
  <regex offset="after_prematch">^(.+\.php)</regex>
Now with my rule.

Code: Select all

<rule id="100002" level="5">
   <description>New php file added</description>
And finally with my ossec.conf file so that my file is activated and immediately puts the log in the test.log file.

Code: Select all



And finally my file which is stored in /var/ossec/active-response/bin/.

Code: Select all


command=$(ls /var/www/html|grep .php)
if [ $? -eq 0 ]; then
        echo "Fri 15 Jan 2021 08:13:09 PM INFO: /var/www/html/[$(ls /var/www/html|grep \.php|tr -d '\n'|sed -e 's/\.php/\.php /g')]" >> /var/www/html/test.log
        echo "Nothing"
Anyone have any idea why it does not put the log in the test.log file? (I'm trying to manually run and it worked fine when I looked at the alerts.log file, but I don't want to do it manually but with active-response.)


Re: Active Response does not want to work

Posted: Wed Jan 20, 2021 6:51 pm
by mikeshinn
Assuming your script works fine from the command line as root, is there anything OS wise preventing ossec-execd from writing to that file, for example is SELinux blocking ossec-execd from writing to that directory or file?