Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Active-response Kaspersky is not parsing extra_args correctly. #16514

Open
Nicogp opened this issue Mar 27, 2023 · 0 comments
Open

Active-response Kaspersky is not parsing extra_args correctly. #16514

Nicogp opened this issue Mar 27, 2023 · 0 comments
Labels
feed/active response Active response scripts (not the module) level/task module/active response type/bug Something isn't working

Comments

@Nicogp
Copy link
Member

Nicogp commented Mar 27, 2023

Wazuh version Component Install type Install method Platform
4.2 to master Active-response Manager/Agent Packages/Sources OS version

During testing in the Security flaws issue investigation I found that the kaspersky.py script is not parsing the execution arguments correctly when executed from active-response.

To make debugging easier I added two logs to show me the variables "args" and "unknown".

Steps to reproduce

Configure the AR:

In the kaspersky AR configuration add the extra_args field with the --custom_flags parameter (this is a valid parameter according to the script).

<command>
  <name>kaspersky</name>
  <executable>kaspersky</executable>
  <extra_args>--custom_flags this_is_an_arg</extra_args>
  <timeout_allowed>no</timeout_allowed>
</command>

<active-response>
  <disabled>no</disabled>
  <command>kaspersky</command>
  <location>local</location>
  <rules_id>550</rules_id>
</active-response>

Restart the wazuh-manager and generates the event that triggers AR

Check log messages:

When verifying the logs, we see, through the variable "args", that the argument --custom_flags could not be parsed, remaining inside the variable "unknown".

Mon Mar 27 09:39:37 -03 2023 /var/ossec/active-response/bin/kaspersky.py ----> args: Namespace(verbose=False, full_scan=False, boot_scan=False, memory_scan=False, custom_scan_folder=None, custom_scan_file=None, action=None, update_application=False, get_task_list=False, get_task_state=None, custom_flags=None, enable_realtime=False, disable_realtime=False) 

Mon Mar 27 09:39:37 -03 2023 /var/ossec/active-response/bin/kaspersky.py ----> unknown: ['--custom_flags this_is_an_arg'] 

Mon Mar 27 09:39:37 -03 2023 /var/ossec/active-response/bin/kaspersky.py --custom_flags this_is_an_arg

Running the script manually(expected behavior);

By running the script manually as follows:
python3 /var/ossec/active-response/bin/kaspersky.py --custom_flags this_is_an_arg

When we check the logs we see that the argument could be parsed correctly:

Mon Mar 27 09:39:58 -03 2023 /var/ossec/active-response/bin/kaspersky.py ----> args: Namespace(verbose=False, full_scan=False, boot_scan=False, memory_scan=False, custom_scan_folder=None, custom_scan_file=None, action=None, update_application=False, get_task_list=False, get_task_state=None, custom_flags='this_is_an_arg', enable_realtime=False, disable_realtime=False) 

Mon Mar 27 09:39:58 -03 2023 /var/ossec/active-response/bin/kaspersky.py ----> unknown: [] 

Mon Mar 27 09:39:58 -03 2023 /var/ossec/active-response/bin/kaspersky.py --custom_flags this_is_an_arg
@Nicogp Nicogp added type/bug Something isn't working module/active response feed/active response Active response scripts (not the module) labels Mar 27, 2023
@TheMuntu TheMuntu mentioned this issue Apr 7, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feed/active response Active response scripts (not the module) level/task module/active response type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vikman90 @Nicogp