Skip to content

Instantly share code, notes, and snippets.

@Ran-Xing

Ran-Xing/active_response_update.sh

Last active January 15, 2022 08:27
Show Gist options
  • Save Ran-Xing/ac9d129fd7c736c35c013403157eef26 to your computer and use it in GitHub Desktop.
Save Ran-Xing/ac9d129fd7c736c35c013403157eef26 to your computer and use it in GitHub Desktop.
Download ZIP
Active Response Update 升级主动响应脚本
Raw
active_response_update.sh
#!/usr/bin/env sh
##### INIT #####
set -ex
active_response_path=$(
cd "$(dirname "$0")"
pwd
)
read line
active_response_command="$(echo "$line" | sed -e 's/":/\n/g' | grep alert | cut -d '"' -f 2)"
active_response_name="$(echo "$line" | sed -e 's/":/\n/g' | grep alert | cut -d '"' -f 4)"
active_response_url="$(echo "$line" | sed -e 's/":/\n/g' | grep alert | cut -d '"' -f 6)"
active_response_md5="$(echo "$line" | sed -e 's/":/\n/g' | grep alert | cut -d '"' -f 8)"
if test -z "$(date)"; then
active_response_data="$("$active_response_path"/date)"
else
active_response_data="$(LANG=en_US.UTF-8 date "+%b %e %T")"
fi
active_response_log="$(dirname "$(dirname "$active_response_path")")/logs/active-responses.log"
active_response_file="$active_response_path/$active_response_name"
Check_Log() {
echo "$active_response_data $(uname -n) ${0##*/}: $active_response_command $active_response_name $1" >>"$active_response_log"
}
##### INIT #####
##### MAIN #####
if [ ! -x "$(which wget)" ]; then
Check_Log "Error: Command wget Not Found"
else
case "$active_response_command" in
"add")
if [ ! -f "$active_response_file" ]; then
## https Very important
# wget -qO "$active_response_file" --timeout=10 --tries=1 --no-check-certificate "$active_response_url"
wget -qO "$active_response_file" "$active_response_url"
if [ ! -f "$active_response_file" ]; then
Check_Log "Error: Download Failed"
else
if [ "$(md5sum "$active_response_file" | cut -d ' ' -f1)" = "$active_response_md5" ]; then
chmod +x "$active_response_file"
Check_Log "Succeed"
else
rm "$active_response_file"
Check_Log "Error: Md5 Don't Match"
fi
fi
else
Check_Log "Error: file Exist"
fi;;
"remove")
if [ ! -f "$active_response_file" ]; then
Check_Log "Error: file NotExist"
else
mv "$active_response_file" "$active_response_file.bak"
chmod -x "$active_response_file.bak"
Check_Log "Succeed"
fi;;
"upgrade")
if [ ! -f "$active_response_file" ]; then
Check_Log "Error: file NotExist"
else
mv "$active_response_file" "$active_response_file.bak"
wget -qO "$active_response_file" "$active_response_url"
if [ ! -f "$active_response_file" ]; then
mv "$active_response_file.bak" "$active_response_file"
Check_Log "Error: Download Failed"
else
if [ "$(md5sum "$active_response_file" | cut -d ' ' -f1)" = "$active_response_md5" ]; then
Check_Log "Succeed"
else
rm "$active_response_file"
mv "$active_response_file.bak" "$active_response_file"
Check_Log "Error: Md5 Don't Match"
fi
fi
chmod +x "$active_response_file"
fi;;
*)
echo "Usage: active-response-update.sh [add|remove|upgrade|init][ip][port]"
Check_Log "Error: Unknown Command";;
esac
fi
##### MAIN #####
@Ran-Xing
Copy link
Author

wazuh active respond to remote upgrades

@Ran-Xing
Copy link
Author 

IP="wazuh.lan"
TOKEN=`curl -u wazuh:wazuh -ks -X GET "https://$IP:55000/security/user/authenticate?raw=true"`

curl -H  "Authorization: Bearer $TOKEN" 'Content-Type:application/json' \
 -ks -X PUT \
 -d '{"command": "!active-response-update.sh", "arguments": ["upgrade", "active-response-update.sh", "http://172.16.30.95:999/active-response-update.sh", "e253b78b8d87a621f6d598e0a7c0ea20"]}' \
 -H 'Content-Type:application/json' \
 "https://$IP:55000/active-response?pretty=false&agents_list=001"


ARGUMENT {
    command [ add | remove | upgrade ]
    name [ test.sh ]
    url [ http://192.168.66.166:999/active-response-update.sh ]
    md5 [ 6a8369c1cb79313148bbee54601a9e21 ]
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment