Re: Yara integration problem

[Manuel Camona Perez]

Hi Griselda Ago,

First of all, the Yara rules path specified in the command section is wrong.

    <extra_args>-yara_path /opt/yara-4.1.0/ -yara_rules /opt/yara-4.1.0/rules/</extra_args>

The Yara rules path must be the Yara rules file path instead of the path to the directory including the file.
The Yara path is OK.

Also, note that jq must be installed in the agent, as it is used by the Yara active response script.

With these changes, the Yara integration should work.

I also recommend that you execute Yara by hand (instead of using the yara.sh script) for testing purposes. This would help you troubleshoot better:

/opt/yara-4.1.0/yara -w -r /opt/yara-4.1.0/rules/rules_file file_to_scan

I hope this helps, don't hesitate to ask if you have more questions!

On Thursday, April 28, 2022 at 1:23:01 PM UTC+2 Griselda Ago wrote:

Hello to everyone. I need your help.  I'm integrating YARA in WAZUH, but I'm not getting any notifications in wazuh . I followed the instructions of https://documentation.wazuh.com/current/user-manual/capabilities/active-response/ar-use-cases/wazuh-with-yara.html
 1) Firstly , I downloaded YARA to the linux endpoint which works very well
 2) Then I made the following modifications to the MANAGER
  

<command>
    <name>yara</name>
    <executable>yara.sh</executable>
    <extra_args>-yara_path /opt/yara-4.1.0/ -yara_rules /opt/yara-4.1.0/rules/</extra_args>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <command>yara</command>
    <location>local</location>
    <rules_id>550,554</rules_id>
  </active-response> 

3) Then i created: nano /var/ossec/etc/decoders/yara_decoders.xml

<decoder name="yara">
  <prematch>wazuh-yara: </prematch>
</decoder>

<decoder name="yara">
  <parent>yara</parent>
  <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
  <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara">
  <parent>yara</parent>
  <regex>wazuh-yara: (\S+) - Yara active response error. (\.+)</regex>
  <order>log_type, error_message</order>
</decoder>

4) The same for the rules: nano /var/ossec/etc/rules/yara_rules.xml

<group name="yara,">
    <rule id="100100" level="0">
        <decoded_as>yara</decoded_as>
        <description>YARA rules grouped.</description>
    </rule>

    <rule id="100101" level="5">
        <if_sid>100100</if_sid>
        <field name="error_message">\.+</field>
        <description>YARA error detected.</description>
    </rule>

    <rule id="100102" level="10">
        <if_sid>100100</if_sid>
        <field name="yara_rule">\.+</field>
        <description>YARA $(yara_rule) detected.</description>
    </rule>
</group>

5) To the AGENT: nano /var/ossec/active-response/bin/yara.sh

#------------------------- Gather parameters -------------------------#

# Static active response parameters
LOCAL=dirname $0

# Extra arguments
read -r INPUT_JSON
YARA_PATH=$(echo $INPUT_JSON | jq -r .parameters.extra_args[1])
YARA_RULES=$(echo $INPUT_JSON | jq -r .parameters.extra_args[3])
FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.syscheck.path)
COMMAND=$(echo $INPUT_JSON | jq -r .command)

# Move to the active response folder
cd $LOCAL
cd ../

# Set LOG_FILE path
PWD=pwd
LOG_FILE="${PWD}/../logs/active-responses.log"

#----------------------- Analyze parameters -----------------------#

if [[ ! $YARA_PATH ]] || [[ ! $YARA_RULES ]]
then
  echo "wazuh-yara: ERROR - Yara active response error. Yara path and rules parameters are mandatory." >> ${LOG_FILE}
  exit
fi

#------------------------ Analyze command -------------------------#
if [ ${COMMAND} = "add" ]
then
  # Send control message to execd
  printf '{"version":1,"origin":{"name":"yara","module":"active-response"},"command":"check_keys", "parameters":{"keys":[]}}\n'

  read RESPONSE
  COMMAND2=$(echo $RESPONSE | jq -r .command)
  if [ ${COMMAND2} != "continue" ]
  then
    echo "wazuh-yara: INFO - Yara active response aborted." >> ${LOG_FILE}
    exit 1;
  fi
fi

#------------------------- Main workflow --------------------------#

# Execute Yara scan on the specified filename
yara_output="$("${YARA_PATH}"/yara -w -r "$YARA_RULES" "$FILENAME")"

if [[ $yara_output != "" ]]
then
  # Iterate every detected rule and append it to the LOG_FILE
  while read -r line; do
  echo "wazuh-yara: INFO - Scan result: $line" >> ${LOG_FILE}
  done <<< "$yara_output"
fi

exit 1;

6) I have changed the ownership et les permison de file yara.sh

┌──(root㉿kali)-[/var/ossec/active-response/bin]
└─# ls -llh yara.sh
-rwxr-x--- 1 root ossec 1.9K Apr 28 11:40 yara.sh

7) Then I download a malware file from https://dasmalwerk.eu/ to the endpoint, inside the / opt / folder but do not see any wazuh notifications. 

Where is my problem??

[Griselda Ago]

Hi Manuel, Thank you very much for your response. I'm still struggling with this. 

I changes the yara rules like this.

  <command>
    <name>yara</name>
    <executable>yara.sh</executable>

    <extra_args>-yara_path /opt/yara-4.1.0/ -yara_rules /opt/yara-4.1.0/rules/index.yar </extra_args>
    <timeout_allowed>no</timeout_allowed>
  </command>

  But still dont work.  But if i test Yara it works

 

What will be the correct yara rules file? What should i write?

[Manuel Camona Perez]

Hi again Griselda Ago,

I see that you configured active response to use the /opt/yara-4.1.0/rules/index.yar Yara rules file, but in your manual test, you used the crypto_index.yar file, try testing with the same rules file to confirm that for the file added, those Yara rules match.

Also, check that the yara.sh script in the agent has the appropriate ownership and permissions. File ownership is root:ossec and the permissions are 750.

Finally, check that file integrity monitoring is enabled for the /opt directory. This is important as FIM will generate the alerts with ID 550 and 554 when a new file is added or a current file is modified. These 2 alerts are the ones in charge of triggering the active response script execution.

If after all these checks, the problem isn't solved, try looking for active response error logs in the ossec.log. Enabling the debug mode (debug=2) for the execd daemon will help you troubleshoot better. In order to enable this debug mode, add the following line to /var/ossec/etc/local_internal_options.conf:

execd.debug=2

[Griselda Ago]

Hello, i make this change in the Manager but still nothing. Where can I add this "execd.debug=2 ", on the part of the MANAGER or AGENT? Sorry for so basic questions, but I'm new with Wazuh & Yara.

[Manuel Camona Perez]

Why have you changed the value of rules_id in the active response configuration from 550,554 to 100300,100301? Try using 550,554. This is important because these rules generate alerts containing the filename that is going to be parsed and involved in the Yara scan.

Add execd.debug=2 to the agent's local_internal_options.conf.

[Griselda Ago]

Hello I add  execd.debug=2 to the Agent. And i changed rule ID in the manager conf. But still nothing. The resultat of logs are like this. I dont know why it don't work

 

[Manuel Camona Perez]

OK, I have just realized that you added the file integrity monitoring configuration to the manager's ossec.conf. It must be in the agent's configuration.
Add this configuration, restart and tell me how it goes.

[Manuel Camona Perez]

Note that the flow is the following:

Malicious file downloaded -> FIM generate alert (550 or 554) -> Active Response triggered -> yara.sh executed -> Yara logs are written in /var/ossec/logs/active-responses.log -> Yara alerts generated

If FIM is not configured in the manager, we are still in the step number 2

[Manuel Camona Perez]

Mistake in the last message:

If FIM is not configured in the agent***, we are still in the step number 2

[Griselda Ago]

Now i have this resultat in ossec.conf. And in the Wazuh, he manages to catch the action but does not identify like YARA. How can i fix this? 

[Griselda Ago]

From what I understand, wazuh already captures any additions or changes to a file, but nothing to do with Yara.

[Griselda Ago]

Hello Manuel i still need your help , i'm still struggling with Yara. I found this. Maybe the problem is what the active response status is disabled? I'm looking at where my problem is but I can not find it.

[Manuel Camona Perez]

Hi again and sorry for the late response,

> From what I understand, wazuh already captures any additions or changes to a file, but nothing to do with Yara.

Wazuh monitors file changes and additions if FIM is configured properly, as I said in previous comments.

> Now i have this resultat in ossec.conf. And in the Wazuh, he manages to catch the action but does not identify like YARA. How can i fix this? 

In the logs you showed with this question, we can see that the Yara script is being executed by active response. This statement answers to your last question: no, active response is not disabled because the Yara script was executed by AR when the file was added/modified.

If we have a look again at the use case steps:

Malicious file downloaded -> FIM generate alert (550 or 554) -> Active Response triggered -> yara.sh executed -> Yara logs are written in /var/ossec/logs/active-responses.log -> Yara alerts generated

Right now, we are in the "yara.sh executed" step. As I told you, the Yara script was executed. This can be seen in the logs you showed in a previous comment. Have a look at /var/ossec/logs/active-responses.log. The Yara scan result should have been written there. Could you have a look at that log file?

[Griselda Ago]

Hello Manuel.  Thank you very much for your help . Finally Yara alerts are now appearing in Wazuh.  I have done for 2 Agent and its all good.  But if I want to integrate Yaren into dozens of agents. Do I have to do this integration individually in each agent? 

 

On Tuesday, May 3, 2022 at 9:54:47 AM UTC+2 Griselda Ago wrote:

Hello, Thanks for your reply. I still have not found the problem. This is the result of these logs. And in yara.sh I wrote what is written on this page, without any change: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/ar-use-cases/wazuh-with-yara.html 

[Manuel Camona Perez]

Yes, you will need to configure file integrity monitoring and include the yara.sh script in all agents (and install jq and Yara). 

From Wazuh, we don't provide any tool or script to do this immediately, so you will need to create, for instance, a bash script to send the Yara script to all agents (via ssh, for instance); install jq and Yara, and configure file integrity monitoring properly.

[Griselda Ago]

Thank you very much for your help. There is any possibility that Wazuh can remove automatiquement the malware files/programs findings by Yara? or Yara is only for detecting? 

[Manuel Camona Perez]

You can modify the yara.sh script by adding a command to delete the file.

Just add something like rm $FILENAME at the end of the script. For instance:

yara.sh:

...

# Execute Yara scan on the specified filename

yara_output="$("${YARA_PATH}"/yara -w -r "$YARA_RULES" "$FILENAME")" 

if [[ $yara_output != "" ]] 

then 

    # Iterate every detected rule and append it to the LOG_FILE 

    while read -r line; do 

    echo "wazuh-yara: INFO - Scan result: $line" >> ${LOG_FILE} 

    done <<< "$yara_output"

fi 

rm -f $FILENAME

exit 1;

[Griselda Ago]

Thank you very much Manuel for all your help from the beginning. 

[Saiful Alam Shihab]

Hi manuel,

i am having same issue. could you please help

[Mayler Saíd]

wazuh-yara: ERROR - Yara active response error. Yara path and rules parameters are mandatory.  SOLUTION


To resolve the issue below, you first need to review the steps following this documentation https://documentation.wazuh.com/current/user-manual/capabilities/active-response/ar-use-cases/wazuh-with-yara.html

After following it and the message still appears, check the following steps:

1 - Check if the FMI module is active and functional. Open the ossec.conf file inside the manager and the agent and add the path below to use as an example, restart both.

     <!-- Directories to check (perform all possible verifications) -->
     <directories check_all="yes" realtime="yes">/tmp*</directories>

2 - After this verification and even so the problem persists, check if the path you configured inside the manager in the ossec.conf file is working.

   <command>
     <name>yara</name>
     <executable>yara.sh</executable>

     <extra_args>-yara_path /usr/bin -yara_rules /opt/yara_rules/rules/index.yar</extra_args>

     <timeout_allowed>no</timeout_allowed>
   </command>
   <active-response>
     <command>yara</command>

     <location>location</location>
     <rules_id>550,554</rules_id>
   </active-response>

To discover the correct path on your agent machine, just use the command where is yara and it will tell you the correct path where the binary is. If this deployment is for several computers, all computers must be configured in the same directory, the bin and the rules.

3 - When creating the yara.sh file, do not forget to assign the commands below

chmod 750 yara.sh
chown root:wazuh (or root:ossec, just check in ls -l) yara.sh

4 - If you are using the documentation mentioned above and you are still having the problem, check if the main dependency of the script yara.sh is installed.

https://ganeshchandrasekaran.com/install-jq-on-centos-7-459dd650baa3

apt-get install jq
yum install jq

for dealing with calls in JSON, it is necessary to install this dependency. In my case, everything above was working and I didn't pay attention to JQ only. After that, everything is 100% functional.

Don't forget to restart the wazuh agent service whenever you make any changes.

You can test if it is working just by using the command below to monitor in real time what is going to wazuh

tail -f /var/ossec/etc/logs/active-responses.log

using step 1 as a test, download a test file from https://www.dasmalwerk.eu/ using wget and check the tail above.

then unzip filename and password so everyone is infected.