Wazuh agent and remote commands
102 views
Skip to first unread message
serano...@gmail.com
Mar 26, 2023, 4:52:53 AM3/26/23
to Wazuh mailing list
Hi All
I've successiflly implemented Yara into wazuh and now my concernes is to keep the rule file updated.
Instead to write a script to allow the agent(in windows system) to download the update from the repo, i would like to know if there is a way to execute command remotely from the manager and pass the files to the agent, like wazuh itself do with active response, that send to the agent the entire log when an active response rule is triggered.
hope you could help, have a nice day!
Message has been deleted
Jörg Schin.
Mar 26, 2023, 12:53:20 PM3/26/23
to Wazuh mailing list
Hi,
maybe I didn't understand it correctly. But I assume that Yara is installed on the wayuh agent (Windows 10 or whatever) and you want to download the rules only 1 time on a Linux server and share them / push on the agents?
If yes, why not using a samba server for filesharing?
then you can create / download / collect the Yara rules on the samba server and share them with the clients.
e.g.:
Greez
Miguel Casares
Mar 26, 2023, 3:15:14 PM3/26/23
to Wazuh mailing list
Hello Serano and Jörg,
As
Jörg mentioned, you can use a Samba server for filesharing as an alternative external to Wazuh. Also, you can push the Yara rules to the agents if you place the file within the /var/ossec/etc/shared/default folder to do it for all the agents or a different agent group folder. Once pushed, the Yara rules will be located in the same /var/ossec/etc/shared folder on the agent side, and you can define the new path in the Wazuh configuration.
I hope that helps. Let me know if you need anything else.
Regards,
Miguel
Stefano Serano
Mar 28, 2023, 6:37:28 AM3/28/23
to Miguel Casares, Wazuh mailing list
Hi All.
Thanks Miguel! that is a good solution for me, have a nice day!
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/kbcrvh202ZM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9adee297-0d4c-42be-ba60-12ab12b80852n%40googlegroups.com.
Stefano Serano
Mar 28, 2023, 6:37:37 AM3/28/23
to Jörg Schin., Wazuh mailing list
Hi Jorg.
Your idea is valid, but let me clarify better my request.
Let's take as sample Yara Activer response Script for windows, who is able to get from the log that it receive from manager the path of the field to scan with yara.exe, is not possible to use the same process for yara rules?
I could not write a .bat file who take the incoming data sent from the manager and write it to a folder?
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/kbcrvh202ZM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/dcdbe5fd-68e4-4fbc-bc2b-e005b64d8cc1n%40googlegroups.com.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages