[英]Wazuh remote command from API doesn't work
I'm trying to execute remote command from Wazuh manager to the agent using API, below waht i'm trying to do:我正在尝试使用 API 执行从 Wazuh 管理器到代理的远程命令,低于我正在尝试执行的操作:
curl -k -X PUT "https://192.168.1.76:55000/active-response?agents_list=001" -H "Authorization: Bearer $TOKEN" -H "content-type: application/json" -d '{"command": "customA", "custom":true}'
and then the response:然后是回应:
{"data": {"affected_items": ["001"], "total_affected_items": 1, "total_failed_items": 0, "failed_items": []}, "message": "AR command was sent to all agents", "error": 0}
The problem is simply that the command "customA" isn't triggered in the agent.问题很简单,命令“customA”没有在代理中触发。 Here the body of the "/var/ossec/etc/ossec.conf" file in the MANAGER:
这里是 MANAGER 中“/var/ossec/etc/ossec.conf”文件的主体:
<command>
<name>customA</name>
<executable>launcher.cmd</executable>
<extra_args>custom_remove.py</extra_args>
</command>
<command>
<name>customB</name>
<executable>launcher.cmd</executable>
<extra_args>custom_remove.py</extra_args>
</command>
<command>
<name>forRemote</name>
<executable>custom_remove.exe</executable>
</command>
<active-response>
<disabled>no</disabled>
<command>customA</command>
<location>local</location>
<rules_id>255001</rules_id>
</active-response>
<active-response>
<disabled>no</disabled>
<command>customA</command>
<location>local</location>
<rules_id>999001</rules_id>
</active-response>
And this is the "local_internal_options.conf" file in the Windows AGENT 001:这是 Windows 代理 001 中的“local_internal_options.conf”文件:
windows.debug=2
rootcheck.sleep=0
syscheck.sleep=0
logcollector.remote_commands=1
wazuh_command.remote_commands=1
Eventually, I think that command and active response are correctly configured, because they will work correctly if i try to test them triggering a rule (for exampple rule 999001).最终,我认为命令和主动响应配置正确,因为如果我尝试测试它们触发规则(例如规则 999001),它们将正常工作。 Moreover, i post the response of the api "GET /manager/configuration/analysis/command":
此外,我发布了 api“GET /manager/configuration/analysis/command”的响应:
{
"data": {
"affected_items": [
{
"command": [
{
"name": "disable-account",
"executable": "disable-account",
"timeout_allowed": 1
},
{
"name": "restart-wazuh",
"executable": "restart-wazuh",
"timeout_allowed": 0
},
{
"name": "firewall-drop",
"executable": "firewall-drop",
"timeout_allowed": 1
},
{
"name": "host-deny",
"executable": "host-deny",
"timeout_allowed": 1
},
{
"name": "route-null",
"executable": "route-null",
"timeout_allowed": 1
},
{
"name": "win_route-null",
"executable": "route-null.exe",
"timeout_allowed": 1
},
{
"name": "netsh",
"executable": "netsh.exe",
"timeout_allowed": 1
},
{
"name": "customA",
"executable": "launcher.cmd",
"timeout_allowed": 0
},
{
"name": "customB",
"executable": "launcher.cmd",
"timeout_allowed": 0
},
{
"name": "forRemote",
"executable": "custom_remove.exe",
"timeout_allowed": 0
},
{
"name": "remove-threat",
"executable": "remove-threat.exe",
"timeout_allowed": 0
}
]
}
],
"total_affected_items": 1,
"total_failed_items": 0,
"failed_items": []
},
"message": "Active configuration was successfully read",
"error": 0
}
I hope that someone will help me.我希望有人能帮助我。 Thanks in advice!
谢谢指教!
please open C:\Program Files (x86)\ossec-agent\etc\shared\ar.conf file and verify that you have:请打开 C:\Program Files (x86)\ossec-agent\etc\shared\ar.conf 文件并确认你有:
customA0 - launcher.cmd - 0 customA0 - launcher.cmd - 0
if you don't have it, create any file in /var/ossec/etc/shared/default/ for the manager to update the agent by sending a merged.mg, this resets the agent and updates it according to what you configured in ossec.conf from the manager.如果没有,请在 /var/ossec/etc/shared/default/ 中创建任何文件,以便管理器通过发送 merged.mg 来更新代理,这会重置代理并根据您在来自经理的ossec.conf。
The command should have customA0 instead of customA.该命令应具有 customA0 而不是 customA。
Example: curl -k -X PUT "https://192.168.1.72:55000/active-response?agents_list=001" -H "Authorization: Bearer $(curl -u wazuh:wazuh -k -X GET "https://192.168.1.xxx:55000/security/user/authenticate?raw=true)" -H "content-type: application/json" -d ' {"command": "customA0", "custom":true} '示例:curl -k -X PUT "https://192.168.1.72:55000/active-response?agents_list=001" -H "授权:Bearer $(curl -u wazuh:wazuh -k -X GET "https:/ /192.168.1.xxx:55000/security/user/authenticate?raw=true)" -H "content-type: application/json" -d ' {"command": "customA0", "custom":true} '
I hope this is useful.我希望这是有用的。 Regards
问候
Note: I attach an example that I did to test manager agent注意:我附上了一个测试经理代理的例子
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.