OTX for Wazuh

[Alvaro Victoriano]

Hello Wazuh Team,

I have a question please.

Is it posible to integrate OTX Alienvault with Wazuh?

and Virustotal can be same like OTX Alienvault?

Thank you

[Juan Pablo Saez]

Hi again Alvaro,

• Here is one approach to integrating OTX IP reputation lists data into Wazuh. Wazuh can integrate IP reputation lists but not the file hashes from the pulse system. There is a Github community issue for the full OTX integration request. Did you have a specific use case in mind? 

• About VirusTotal, our integration uses the VirusTotal API to detect malicious content within the files monitored by File Integrity Monitoring. This is an easy to configure integration. 

Please, let me know if you need help configuring these integrations.

 

Best regards, Juan Pablo Sáez

[Miki Alkalay]

Hi,

i already integrated IP black list from Alien Vault with Wazuh:

1) download the IP black list.

2) convert it to CDB file.

3) alert on any activity that any agent will have with the IP's black lists.

Miki

[Alvaro Victoriano]

Thank you so much Juan, so helpful and great work of Wazuh

I have done it.

last question please, if i have new list of IPs then i should only integrate them to the main list AlienVault for example like the one in the articul then

/var/ossec/bin/ossec-makelists? and restart the manager thats all right?

Or do all the steps all over again?

Thank you again 

[Juan Pablo Saez]

Hi,

I appreciate your feedback, Alvaro!  (:

last question please, if i have new list of IPs then i should only integrate them to the main list AlienVault for example like the one in the articul then
/var/ossec/bin/ossec-makelists? and restart the manager thats all right?

That's right, If you copy the new list into the existing list(i.e. the Alienvault one) just restarting the manager should be enough, as /var/ossec/bin/ossec-makelists binary is launched on every Wazuh manager restart.

And don't worry, you can ask all the questions you need.

I hope it helps. Best regards,

Juan Pablo Sáez

[Alvaro Victoriano]

Thank you so much Juan for declaring my doubts and opening the space for more questions.

Is it related Ransomware with OTX? some how the ransomware could enter to the PC by USB not only internet.

Could you give me any recomendation please for this case of ransomware, i mean avoiding this or sendding alerts about it.

It can be detected by by Rootcheck?

[Juan Pablo Saez]

Hi again Alvaro,

Is it related Ransomware with OTX? some how the ransomware could enter to the PC by USB not only internet.

Yes, OTX has ransomware detection capabilities but they don't have integration in Wazuh software yet. 

  

Could you give me any recomendation please for this case of ransomware, i mean avoiding this or sendding alerts about it.
It can be detected by by Rootcheck?

• Rootcheck module isn't helpful for ransomware detection.

• I think the further dedicated ransomware MISP webstie can be really useful to keep you up to date in this topic: Ransomware tracker
• Ransomware mitigation advices.
• Ransomware related IP, DNS, and URL blacklists.

• Virustotal Integration: You can use FIM + Virustotal integration to check for ransomware and other malware on your USB devices and hard disks.

If you choose to use any of these options and I can help you please let me know.

Best regards, Juan Pablo Sáez

Best regards, Juan Pablo Sáez

[Alvaro Victoriano]

Thank you so much Juan it was really helpfull

I go with the IPs list and i added them to the blacklist I allready have https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt

I restarted the manager and the list been synchronized in the other workers in the cluster, and for the other URL i will look how to block them, isnt posible by Wazuh right?

and I allready prepared report for the clients.

Virustotal I did as in your documentation and i used free key, it wasnt so helpful, so i asked for a private key starting from 800$ pricing

Thank you again Juan

[Juan Pablo Saez]

Hi again Alvaro,

You are welcome; I think these IP lists are frequently updated so it's a great value for your Wazuh stack.

and for the other URL i will look how to block them, isnt posible by Wazuh right?

 

You are right, currently, our active-response scripts can't block URLs: <commands> expect static fields and, URLs from events, aren't parsed as static fields.

Virustotal I did as in your documentation and i used free key, it wasnt so helpful, so i asked for a private key starting from 800$ pricing

I agree, four uses a day are very few.

Please, let me know if it helps. Greetings, 

Juan Pablo Sáez

[Kevin Branch]

Actually the VirusTotal public API rate limit for lookup requests is 4 per minute, but even that is restrictive if you are going to put it to any serious use.

Kevin

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8e8da4ad-a7af-4ef4-a285-e4292586c117%40googlegroups.com.

[Alvaro Victoriano]

Thats so good Juan

thank you for all and Kevin as well for your share