Unable to run integration for virustotal -> integrations
114 views
Skip to first unread message
Nemo191 Nm
Nov 18, 2024, 4:51:37 AM11/18/24
to Wazuh | Mailing List
Hi!
I looked at the block in ossec.log
and saw the following:
Nov 18, 2024 @ 03:32:56.000 wazuh-integratord ERROR Unable to run integration for virustotal -> integrations
Nov 18, 2024 @ 03:32:56.000 wazuh-integratord ERROR While running virustotal -> integrations. Output: UnicodeDecodeError: 'utf-8' codec can't decode byte 0xcf in position 1076: invalid continuation byte
Nov 18, 2024 @ 03:32:56.000 wazuh-integratord ERROR Exit status was: 1
how to fix it?
Stuti Gupta
Nov 18, 2024, 5:45:01 AM11/18/24
to Wazuh | Mailing List
Hi Nemo
Have you made any changes to the Virustotal script?
Please share the Virustotal script from the following file
/var/ossec/integrations/virustotal.py
Looking forward to your update on the issue.
Exit code 4 indicates ERR_NO_RESPONSE_VT.
I recommend you check this documentation about virustotal integration working with FIM:
https://documentation.wazuh.com/current/user-manual/capabilities/virustotal-scan/integration.html?highlight=virustotal#use-case-scanning-a-file
The integration is triggered when some file is added/removed/edited in the directories monitored by syscheck. You will see in alerts.json a syscheck alert and then a virustotal alert. Can you check these conditions?
Have you checked that the alerts configured to trigger the integration appear in /var/ossec/logs/alerts/alerts.json
Can you send me the same alert from the alerts.json file? Because the integration reads the alerts.json file to trigger the integration script. Maybe there is some character there that causes the problem!
Also, share the following information.
What is the version of your Wazuh Manager?
Have you made any changes to the Virustotal script?
Please share the Virustotal script from the following file
/var/ossec/integrations/virustotal.py
Looking forward to your update on the issue.
Nemo191 Nm
Nov 18, 2024, 8:08:59 AM11/18/24
to Wazuh | Mailing List
Hi! Thanks for the reply.
Wazuh-manager 4.8.
alerts.json sorry. cant't
ossec.conf
<!-- VirusTotal -->
<integration>
<name>virustotal</name>
<api_key>12345678</api_key> <!-- Replace with your VirusTotal API key -->
<group>syscheck</group>
<alert_format>json</alert_format>
</integration>
virustotal.py
/var/ossec/integrations/virustotal.py I have not modified
There's a code there (
virustotal.py
):
# ossec.conf configuration:
# <integration>
# <name>virustotal</name>
# <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
# <group>syscheck</group>
# <alert_format>json</alert_format>
# </integration>
# Global vars
...etc
понедельник, 18 ноября 2024 г. в 13:45:01 UTC+3, Stuti Gupta:
Stuti Gupta
Nov 22, 2024, 1:19:34 AM11/22/24
to Wazuh | Mailing List
Hi Nemo
Make sure to get your API key from the VirusTotal API key page.
Please check if the VT API connectivity, a simple CURL command can be used to test connectivity and the VT API key.
curl https://www.virustotal.com/vtapi/v2/file/report -F resource=1394942aef881f6fa872e0ce8c604bccb0ece22693b4fb5a5db0f5f2e6979f5e -F apikey=<vt-api-key>
The parameter "resource=" can be changed to the SHA256 hash of any file in the Virus Total database.
The parameter "apikey=" needs to be a valid Virus Total API key.
If connectivity is present and the API key is valid, a file report will be returned in JSON format.
If the API key is invalid, VT will return no text at all.
If connectivity is problematic, CURL will return an error such as "curl: (7)" for a connection failure.
CURL status codes may be found here: https://curl.haxx.se/libcurl/c/libcurl-errors.html
Check log related to integration at var/ossec/logs/integrations.log
Make sure your virustotal.py script is the same as this one https://github.com/wazuh/wazuh/blob/master/integrations/virustotal.py
Hope to hear from you soon
Make sure to get your API key from the VirusTotal API key page.
Please check if the VT API connectivity, a simple CURL command can be used to test connectivity and the VT API key.
curl https://www.virustotal.com/vtapi/v2/file/report -F resource=1394942aef881f6fa872e0ce8c604bccb0ece22693b4fb5a5db0f5f2e6979f5e -F apikey=<vt-api-key>
The parameter "resource=" can be changed to the SHA256 hash of any file in the Virus Total database.
The parameter "apikey=" needs to be a valid Virus Total API key.
If connectivity is present and the API key is valid, a file report will be returned in JSON format.
If the API key is invalid, VT will return no text at all.
If connectivity is problematic, CURL will return an error such as "curl: (7)" for a connection failure.
CURL status codes may be found here: https://curl.haxx.se/libcurl/c/libcurl-errors.html
Check log related to integration at var/ossec/logs/integrations.log
Make sure your virustotal.py script is the same as this one https://github.com/wazuh/wazuh/blob/master/integrations/virustotal.py
Hope to hear from you soon
Nemo191 Nm
Nov 22, 2024, 3:50:03 AM11/22/24
to Wazuh | Mailing List
HI!
Thank you.
I tried it today, it looks like json turned out.
And tell me which file to watch SHA256 VirusTotal database on. Where can I find it in wazuh?
пятница, 22 ноября 2024 г. в 09:19:34 UTC+3, Stuti Gupta:
Stuti Gupta
Nov 25, 2024, 5:13:17 AM11/25/24
to Wazuh | Mailing List
Hi nemo
You use the Wazuh File Integrity Monitoring (FIM) module to monitor a directory for changes and the VirusTotal API to scan the files in the directory. When you download any malicious file in that directory the lasrt will genrate the json alert will have hash. You can use that hash, Example hash: 1394942aef881f6fa872e0ce8c604bccb0ece22693b4fb5a5db0f5f2e6979f5e
Hope this helps
You use the Wazuh File Integrity Monitoring (FIM) module to monitor a directory for changes and the VirusTotal API to scan the files in the directory. When you download any malicious file in that directory the lasrt will genrate the json alert will have hash. You can use that hash, Example hash: 1394942aef881f6fa872e0ce8c604bccb0ece22693b4fb5a5db0f5f2e6979f5e
Hope this helps
Reply all
Reply to author
Forward
0 new messages