ClamAV - Wazuh compatibility problem

[Giacomazzi Gabriele Antonio]

Hi everyone,

while i was running some test in my work environment i encountered the fact that wazuh and clamav could be linked, in order to have alerts both via e-mail and the wazuh dashboard.

I've done everything written in the official wazuh documentation about this argument (https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/clam-av-logs-collection.html, for context), but, even after restarting both machines, i did not see anything appear on the dashboard.

I'm writing here in hope to at least understand the problem.

Thanks in advance for the help

Best regards,

Gabriele

[Sean Hurley]

Hello, I just set this up. This link is a bit out of date and I didn't use all of it but I found it extremely useful. I have reduced the steps to set this up.
https://aaronbrighton.medium.com/installation-configuration-of-clamav-antivirus-on-ubuntu-18-04-a6416bab3b41

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f164ab61-71c6-419b-b862-7a0141a49d33n%40googlegroups.com.

[Giacomazzi Gabriele Antonio]

Hi, thanks for taking time to answer this thread.

Maybe i didn't explain myself correctly, i've already did the clamav setup and works like a charm. I encounter the problem i'm talking about when i try to setup the clamav log monitoring for wazuh. Hope i clarified the issue.

Regards,

Gabriele

[Giacomazzi Gabriele Antonio]

Hi again everyone,

a little update on the problem.

With the help of the wazuh native ruleset test i found out that the decoder and rule both work (as you can see in the screenshot).

Now the problem in why i get no alerts in the wazuh dashboard.

Thanks in advance

Regards,

Gabriele 

[Facundo Dalmau]

Hi Gabriele. 

We should check if the Wazuh manager is receiving the events and generating the corresponding alerts before moving on to what may be happening with the dashboard. To achieve this, we should activate the logall option in the Wazuh manager, which will make Wazuh store into /var/ossec/logs/archives/archives.log file every event sent to the analysis engine whether they triggered a rule or not. By checking this file with a command like `grep clamd /var/ossec/logs/archives/archives.log`  it is possible to determine if the ClamAV events are being sent to the analysis engine and working properly. If you find the events in the mentioned file, we should then check the /var/ossec/logs/alerts/alerts.json file with a similar command (grep ClamAV  /var/ossec/logs/alerts/alerts.json) to determine if the alerts are correctly being triggered.

Note: Don't forget to disable the logall parameter once the troubleshooting has finished. Leaving it enabled could result in high disk space consumption.

[Giacomazzi Gabriele Antonio]

Hi, thanks for replying.

This morning i activated on my own the logall option as described in some documentation, and the manager actually receives the logs.

The problem now is the fact that i did not think about the fact that the log format could be the problem (since i am now using syslog, but the default clamd log file).

I've tried with a couple of different regex with the native ruleset test, but none of them worked, i'm now trying to write a different regex in hope to make it work.

If anyone is so kind that they want to help with the regex just let me know.

Regards,

Gabriele

You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/oChDudY7aXs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/732c4628-716d-4c52-849b-324c5c229f8bn%40googlegroups.com.

[Facundo Dalmau]

Hi Gabriele. Is the log from the screenshot you shared what you found in the archives file? If not, please share an example of the logs you are seeing and the regex you have tested.

[Giacomazzi Gabriele Antonio]

Hi, thanks for replying.

While testing i discovered that the log i was testing was not the one that the manager was recieving.

This is a log line from the 'archives.log' file (note that i did insert manually, in the agent configuration file, the log file that has to be monitored):

--START OF LOG LINE--

2024 May 22 09:02:12 (hostname) any->/var/log/clamd.scan Wed May 22 11:02:12 2024 -> /home/user/testclam: Eicar-Signature FOUND

--END OF LOG LINE--

I don't remember where (probably in some thread on reddit or here on the mailing list), but i read that the header is added by the wazuh system and is not actually the log that it's going to be "parsed".

This is the entire decoder i'm using, stored in /var/ossec/etc/decoders/local_decoder.xml:

--START OF DECODER--

<decoder name="clamd">
<program_name>^clamd</program_name>
</decoder>

<decoder name="clamd-found">
<parent>clamd</parent>
<prematch>^FOUND</prematch>
<regex>(\S+)(\s)(\w+)\s+(\w+)\s+(\d+:\d+:\d+)\s+(\d{4})\s+->\s+(.+?):\s+(.*)$</regex>
<order>timestamp, file_path, extra_data</order>
</decoder>

<decoder name="freshclam">
<program_name>^freshclam</program_name>
</decoder>

--END OF DECODER--

I disabled the original decoder as suggested by the wazuh documentation.

The regex has been tested in regex101 with the log line i gave you (with no header), and it should work as intended.

Right now the ruleset test tool gives me the "no decoder found" "error".

Let me know if you need anything else.

Regards,

Gabriele

[Facundo Dalmau]

Hi Gabriele. The issue is related to the log format which is not of syslog type and the decoder fields being grouped. Please try the following:

- Modify the decoder to obtain the timestamp, file_path and extra_data:

<decoder name="clamd-found">
    <parent>clamd</parent>
    <prematch>^FOUND</prematch>

    <regex>(\S+\s\w+\s+\w+\s+\d+:\d+:\d+\s+\d{4})\s+ -> (\s+.+?):(\s+.*)$</regex>

    <order>timestamp, file_path, extra_data</order>
</decoder>

- Add the following parameter to your localfile configuration in the agent's ossec.conf file:

<out_format>$(timestamp) $(hostname) clamd: $(log)</out_format>

 

This will add the corresponding fields to the event being sent to Analysisd. The test of the obtained event from archives should display the following:

May 22 17:25:37 ab33fd96f23f clamd: Wed May 22 11:02:12 2024 -> /home/user/testclam: Eicar-Signature FOUND

**Phase 1: Completed pre-decoding.
full event: 'May 22 17:25:37 ab33fd96f23f clamd: Wed May 22 11:02:12 2024 -> /home/user/testclam: Eicar-Signature FOUND'
timestamp: 'May 22 17:25:37'
hostname: 'ab33fd96f23f'
program_name: 'clamd'

**Phase 2: Completed decoding.
name: 'clamd'

**Phase 3: Completed filtering (rules).
id: '52502'
level: '8'
description: 'ClamAV: Virus detected'
groups: '['clamd', 'freshclam', 'virus']'
firedtimes: '1'
gdpr: '['IV_35.7.d']'
gpg13: '['4.2']'
mail: 'False'
nist_800_53: '['SI.3', 'SI.4']'
pci_dss: '['5.1', '5.2', '11.4']'
tsc: '['A1.2', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.

[Giacomazzi Gabriele Antonio]

Hi, thanks for replying.

Thank you for your assistance, you are a real lifesaver.

Using the regex and the agent configuration you gave me, everything works like a charm. I even recieve email alerts as i've configured it in the rules file.

Thank you again for your time and assistance.

Best regards,

Gabriele