我正在尝试使用API执行从Wazuh管理器到代理的远程命令,下面是我想做的:
curl -k -X PUT "https://192.168.1.76:55000/active-response?agents_list=001" -H "Authorization: Bearer $TOKEN" -H "content-type: application/json" -d '{"command": "customA", "custom":true}'
,然后响应:
{"data": {"affected_items": ["001"], "total_affected_items": 1, "total_failed_items": 0, "failed_items": []}, "message": "AR command was sent to all agents", "error": 0}
问题很简单,命令"customA"在代理中没有被触发。/var/ossec/etc/ossec.conf">
<command>
<name>customA</name>
<executable>launcher.cmd</executable>
<extra_args>custom_remove.py</extra_args>
</command>
<command>
<name>customB</name>
<executable>launcher.cmd</executable>
<extra_args>custom_remove.py</extra_args>
</command>
<command>
<name>forRemote</name>
<executable>custom_remove.exe</executable>
</command>
<active-response>
<disabled>no</disabled>
<command>customA</command>
<location>local</location>
<rules_id>255001</rules_id>
</active-response>
<active-response>
<disabled>no</disabled>
<command>customA</command>
<location>local</location>
<rules_id>999001</rules_id>
</active-response>
这是local_internal_options.conf"Windows AGENT 001:
windows.debug=2
rootcheck.sleep=0
syscheck.sleep=0
logcollector.remote_commands=1
wazuh_command.remote_commands=1
最终,我认为命令和活动响应是正确配置的,因为如果我尝试测试它们触发规则(例如规则999001),它们将正确工作。此外,我还发布了api的响应"GET/manager/configuration/analysis/command"
{
"data": {
"affected_items": [
{
"command": [
{
"name": "disable-account",
"executable": "disable-account",
"timeout_allowed": 1
},
{
"name": "restart-wazuh",
"executable": "restart-wazuh",
"timeout_allowed": 0
},
{
"name": "firewall-drop",
"executable": "firewall-drop",
"timeout_allowed": 1
},
{
"name": "host-deny",
"executable": "host-deny",
"timeout_allowed": 1
},
{
"name": "route-null",
"executable": "route-null",
"timeout_allowed": 1
},
{
"name": "win_route-null",
"executable": "route-null.exe",
"timeout_allowed": 1
},
{
"name": "netsh",
"executable": "netsh.exe",
"timeout_allowed": 1
},
{
"name": "customA",
"executable": "launcher.cmd",
"timeout_allowed": 0
},
{
"name": "customB",
"executable": "launcher.cmd",
"timeout_allowed": 0
},
{
"name": "forRemote",
"executable": "custom_remove.exe",
"timeout_allowed": 0
},
{
"name": "remove-threat",
"executable": "remove-threat.exe",
"timeout_allowed": 0
}
]
}
],
"total_affected_items": 1,
"total_failed_items": 0,
"failed_items": []
},
"message": "Active configuration was successfully read",
"error": 0
}
请打开C:Program Files (x86) ossec-agentetcsharedar.conf文件并验证是否有:
customA0 -启动器。cmd - 0
如果没有,请在/var/ossec/etc/shared/default/中创建一个文件,以便管理器通过发送merge来更新代理。这将重置代理并根据您在管理器的ossec.conf中配置的内容更新代理。
命令应该是customA0而不是customA。
的例子:curl -k -X PUT "https://192.168.1.72:55000/active-response?agents_list=001"-H "授权:持有人$(curl -u wazuh:wazuh -k -X GET "https://192.168 .1.xxx:55000/security/user/authenticate?raw=true)"-H "内容类型:application/json"- d '{"command"customA0","custom":真正}'
我希望这是有用的。关于注意:我附加了一个例子,我做了测试经理代理