Active Response does not want to work

Support/Development for OSSEC
karamanid
New Forum User
New Forum User
Posts: 1
Joined: Sat Jan 16, 2021 6:25 am
Location: Germany

Active Response does not want to work

Unread post by karamanid »

Hello everybody,

I have a little problem with my OSSEC. I am currently creating a personal project to detect the PHP files in the / var / www / html folder that were created, but the active-response system does not want to detect this. My decoder does present like this.

Code: Select all

Fri 15 Jan 2021 08:13:09 PM INFO: /var/www/html/[aasfgdgd.php g.php test.php ]
And I embed the regex in the decoder.xml file.

Code: Select all

<decoder name="php-check-log"> 
  <prematch>^\S+ \S+ \S+ \S+ \S+ \S+ \S+: \S+</prematch>
  <regex offset="after_prematch">^(.+\.php)</regex>
  <order>extra_data</order>
</decoder>
Now with my rule.

Code: Select all

<rule id="100002" level="5">
   <decoded_as>php-check-log</decoded_as>
   <description>New php file added</description>
 </rule>
And finally with my ossec.conf file so that my check-php.sh file is activated and immediately puts the log in the test.log file.

Code: Select all

  <command>
    <name>check-php</name>
    <executable>check-php.sh</executable>
    <timeout_allowed>no</timeout_allowed>
    <expect>extra_data</expect>
  </command>

  <active-response>
    <command>check-php</command>
    <location>server</location>
    <rules_id>100002</rules_id>
  </active-response>

  <localfile>
     <log_format>syslog</log_format>
     <location>/var/www/html/test.log</location>
   <location>/var/www/html/test.log</location>
And finally my check-php.sh file which is stored in /var/ossec/active-response/bin/.

Code: Select all

#!/bin/sh

command=$(ls /var/www/html|grep .php)
if [ $? -eq 0 ]; then
        echo "Fri 15 Jan 2021 08:13:09 PM INFO: /var/www/html/[$(ls /var/www/html|grep \.php|tr -d '\n'|sed -e 's/\.php/\.php /g')]" >> /var/www/html/test.log
else
        echo "Nothing"
fi
Anyone have any idea why it does not put the log in the test.log file? (I'm trying to manually run check-php.sh and it worked fine when I looked at the alerts.log file, but I don't want to do it manually but with active-response.)

Thanks!
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Active Response does not want to work

Unread post by mikeshinn »

Assuming your script works fine from the command line as root, is there anything OS wise preventing ossec-execd from writing to that file, for example is SELinux blocking ossec-execd from writing to that directory or file?
Post Reply