VirusTotal Integration
1,127 views
Skip to first unread message
Aykhan Huseynli
Oct 1, 2022, 7:44:18 AM10/1/22
to Wazuh mailing list
Hi Team,
I'm currently trying to integrate VirusTotal module in Wazuh, but I'm facing some difficulties. I followed the manual and proof of concept pages but I'm not receiving alerts in the dashboard. Below I'm sharing what I've done so far.
Also, I don't want to trigger Active Response. My goal is just to check hashes of added files.
Looking forward for your suggestions! Have a great weekend.
Anthony Faruna
Oct 1, 2022, 11:40:10 AM10/1/22
to Aykhan Huseynli, Wazuh mailing list
Hello Aykhan
Thank you for using Wazuh
For the purpose of troubleshooting, please modify this part of your configuration in the /var/ossec/etc/ossec.conf for the integration to look like this :
Replace <rule_id> block in your configuration with <group> block
Restart the Wazuh server after making the change and check the dashboard for the alert
I will be expecting your feedback
Best Regards
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/aa74b0fe-0496-42be-91c5-24836edca0a4n%40googlegroups.com.
Aykhan Huseynli
Oct 1, 2022, 1:38:44 PM10/1/22
to Wazuh mailing list
Hello Anthony!
Thanks for your quick reply. Added "<group>syscheck</group>" and immediately received an alert. Do you have any suggestions regarding the active response? Would be great to implement it also and make it work with Windows endpoints. Let me know if I have to create new conversation.
Anthony Faruna
Oct 1, 2022, 3:11:50 PM10/1/22
to Aykhan Huseynli, Wazuh mailing list
Hello Aykhan
1. Install Python and PyInstaller:
Open Microsoft Store on your endpoint and search for “Python”. Select the latest version and click on Get.
Once Python has completed the installation process, open a PowerShell terminal and use pip to install PyInstaller:
> pip install pyinstaller
> pyinstaller --version
They are used here to convert the active response Python script into an executable application that can run on a Windows endpoint.
2. Create an active response script remove-threat.py for the removal of a file from the windows endpoint:
#!/usr/bin/python3
# Copyright (C) 2015-2022, Wazuh Inc.
# All rights reserved.
import os
import sys
import json
import datetime
if os.name == 'nt':
LOG_FILE = "C:\\Program Files (x86)\\ossec-agent\\active-response\\active-responses.log"
else:
LOG_FILE = "/var/ossec/logs/active-responses.log"
ADD_COMMAND = 0
DELETE_COMMAND = 1
CONTINUE_COMMAND = 2
ABORT_COMMAND = 3
OS_SUCCESS = 0
OS_INVALID = -1
class message:
def __init__(self):
self.alert = ""
self.command = 0
def write_debug_file(ar_name, msg):
with open(LOG_FILE, mode="a") as log_file:
log_file.write(str(datetime.datetime.now().strftime('%Y/%m/%d %H:%M:%S')) + " " + ar_name + ": " + msg +"\n")
def setup_and_check_message(argv):
# get alert from stdin
input_str = ""
for line in sys.stdin:
input_str = line
break
try:
data = json.loads(input_str)
except ValueError:
write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
message.command = OS_INVALID
return message
message.alert = data
command = data.get("command")
if command == "add":
message.command = ADD_COMMAND
elif command == "delete":
message.command = DELETE_COMMAND
else:
message.command = OS_INVALID
write_debug_file(argv[0], 'Not valid command: ' + command)
return message
def send_keys_and_check_message(argv, keys):
# build and send message with keys
keys_msg = json.dumps({"version": 1,"origin":{"name": argv[0],"module":"active-response"},"command":"check_keys","parameters":{"keys":keys}})
write_debug_file(argv[0], keys_msg)
print(keys_msg)
sys.stdout.flush()
# read the response of previous message
input_str = ""
while True:
line = sys.stdin.readline()
if line:
input_str = line
break
# write_debug_file(argv[0], input_str)
try:
data = json.loads(input_str)
except ValueError:
write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
return message
action = data.get("command")
if "continue" == action:
ret = CONTINUE_COMMAND
elif "abort" == action:
ret = ABORT_COMMAND
else:
ret = OS_INVALID
write_debug_file(argv[0], "Invalid value of 'command'")
return ret
def main(argv):
write_debug_file(argv[0], "Started")
# validate json and get command
msg = setup_and_check_message(argv)
if msg.command < 0:
sys.exit(OS_INVALID)
if msg.command == ADD_COMMAND:
alert = msg.alert["parameters"]["alert"]
keys = [alert["rule"]["id"]]
action = send_keys_and_check_message(argv, keys)
# if necessary, abort execution
if action != CONTINUE_COMMAND:
if action == ABORT_COMMAND:
write_debug_file(argv[0], "Aborted")
sys.exit(OS_SUCCESS)
else:
write_debug_file(argv[0], "Invalid command")
sys.exit(OS_INVALID)
try:
os.remove(msg.alert["parameters"]["alert"]["data"]["virustotal"]["source"]["file"])
write_debug_file(argv[0], json.dumps(msg.alert) + " Successfully removed threat")
except OSError as error:
write_debug_file(argv[0], json.dumps(msg.alert) + "Error removing threat")
else:
write_debug_file(argv[0], "Invalid command")
write_debug_file(argv[0], "Ended")
sys.exit(OS_SUCCESS)
if __name__ == "__main__":
main(sys.argv)
3. Since we are running the active response script on a Windows agent, we will convert the active response python script remove-threat.py to an executable application. Run the following PowerShell command as an administrator to create the executable:
> pyinstaller -F \path_to_remove-threat.py
Take note of the path where pyinstaller created remove-threat.exe.
4. Move the executable file remove-threat.exe to the C:\Program Files (x86)\ossec-agent\active-response\bin directory.
5. To apply the changes, restart the agent by running the following PowerShell command as an administrator:
> Restart-Service -Name wazuh
On the Wazuh server, perform the following configurations
I am really glad to know it's working now
To implement active response, please follow the steps below
Configure the following on the windows endpoint
1. Install Python and PyInstaller:
Open Microsoft Store on your endpoint and search for “Python”. Select the latest version and click on Get.
Once Python has completed the installation process, open a PowerShell terminal and use pip to install PyInstaller:
> pip install pyinstaller
> pyinstaller --version
They are used here to convert the active response Python script into an executable application that can run on a Windows endpoint.
2. Create an active response script remove-threat.py for the removal of a file from the windows endpoint:
#!/usr/bin/python3
# Copyright (C) 2015-2022, Wazuh Inc.
# All rights reserved.
import os
import sys
import json
import datetime
if os.name == 'nt':
LOG_FILE = "C:\\Program Files (x86)\\ossec-agent\\active-response\\active-responses.log"
else:
LOG_FILE = "/var/ossec/logs/active-responses.log"
ADD_COMMAND = 0
DELETE_COMMAND = 1
CONTINUE_COMMAND = 2
ABORT_COMMAND = 3
OS_SUCCESS = 0
OS_INVALID = -1
class message:
def __init__(self):
self.alert = ""
self.command = 0
def write_debug_file(ar_name, msg):
with open(LOG_FILE, mode="a") as log_file:
log_file.write(str(datetime.datetime.now().strftime('%Y/%m/%d %H:%M:%S')) + " " + ar_name + ": " + msg +"\n")
def setup_and_check_message(argv):
# get alert from stdin
input_str = ""
for line in sys.stdin:
input_str = line
break
try:
data = json.loads(input_str)
except ValueError:
write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
message.command = OS_INVALID
return message
message.alert = data
command = data.get("command")
if command == "add":
message.command = ADD_COMMAND
elif command == "delete":
message.command = DELETE_COMMAND
else:
message.command = OS_INVALID
write_debug_file(argv[0], 'Not valid command: ' + command)
return message
def send_keys_and_check_message(argv, keys):
# build and send message with keys
keys_msg = json.dumps({"version": 1,"origin":{"name": argv[0],"module":"active-response"},"command":"check_keys","parameters":{"keys":keys}})
write_debug_file(argv[0], keys_msg)
print(keys_msg)
sys.stdout.flush()
# read the response of previous message
input_str = ""
while True:
line = sys.stdin.readline()
if line:
input_str = line
break
# write_debug_file(argv[0], input_str)
try:
data = json.loads(input_str)
except ValueError:
write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
return message
action = data.get("command")
if "continue" == action:
ret = CONTINUE_COMMAND
elif "abort" == action:
ret = ABORT_COMMAND
else:
ret = OS_INVALID
write_debug_file(argv[0], "Invalid value of 'command'")
return ret
def main(argv):
write_debug_file(argv[0], "Started")
# validate json and get command
msg = setup_and_check_message(argv)
if msg.command < 0:
sys.exit(OS_INVALID)
if msg.command == ADD_COMMAND:
alert = msg.alert["parameters"]["alert"]
keys = [alert["rule"]["id"]]
action = send_keys_and_check_message(argv, keys)
# if necessary, abort execution
if action != CONTINUE_COMMAND:
if action == ABORT_COMMAND:
write_debug_file(argv[0], "Aborted")
sys.exit(OS_SUCCESS)
else:
write_debug_file(argv[0], "Invalid command")
sys.exit(OS_INVALID)
try:
os.remove(msg.alert["parameters"]["alert"]["data"]["virustotal"]["source"]["file"])
write_debug_file(argv[0], json.dumps(msg.alert) + " Successfully removed threat")
except OSError as error:
write_debug_file(argv[0], json.dumps(msg.alert) + "Error removing threat")
else:
write_debug_file(argv[0], "Invalid command")
write_debug_file(argv[0], "Ended")
sys.exit(OS_SUCCESS)
if __name__ == "__main__":
main(sys.argv)
3. Since we are running the active response script on a Windows agent, we will convert the active response python script remove-threat.py to an executable application. Run the following PowerShell command as an administrator to create the executable:
> pyinstaller -F \path_to_remove-threat.py
Take note of the path where pyinstaller created remove-threat.exe.
4. Move the executable file remove-threat.exe to the C:\Program Files (x86)\ossec-agent\active-response\bin directory.
5. To apply the changes, restart the agent by running the following PowerShell command as an administrator:
> Restart-Service -Name wazuh
On the Wazuh server, perform the following configurations
1. Append the following blocks to the Wazuh server /var/ossec/etc/ossec.conf file. This is to enable active response and call remove-threat.exe when VirusTotal query results for threats are positive matches:
<ossec_config>
<command>
<name>remove-threat</name>
<executable>remove-threat.exe</executable>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>remove-threat</command>
<location>local</location>
<rules_id>87105</rules_id>
</active-response>
</ossec_config>
2. Add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server to alert about the active response results.
<group name="virustotal,">
<rule id="100092" level="12">
<if_sid>657</if_sid>
<match>Successfully removed threat</match>
<description>$(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file)</description>
</rule>
<rule id="100093" level="12">
<if_sid>657</if_sid>
<match>Error removing threat</match>
<description>Error removing threat located at $(parameters.alert.data.virustotal.source.file)</description>
</rule>
</group>
3. Restart the Wazuh server to apply the configuration changes:
$ sudo systemctl restart wazuh-manager
<ossec_config>
<command>
<name>remove-threat</name>
<executable>remove-threat.exe</executable>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>remove-threat</command>
<location>local</location>
<rules_id>87105</rules_id>
</active-response>
</ossec_config>
2. Add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server to alert about the active response results.
<group name="virustotal,">
<rule id="100092" level="12">
<if_sid>657</if_sid>
<match>Successfully removed threat</match>
<description>$(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file)</description>
</rule>
<rule id="100093" level="12">
<if_sid>657</if_sid>
<match>Error removing threat</match>
<description>Error removing threat located at $(parameters.alert.data.virustotal.source.file)</description>
</rule>
</group>
3. Restart the Wazuh server to apply the configuration changes:
$ sudo systemctl restart wazuh-manager
Please let me know if you need further assistance
Best Regards
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1076a143-2dd1-49e4-a13b-e1f2b2634e78n%40googlegroups.com.
Aykhan Huseynli
Oct 2, 2022, 3:24:33 AM10/2/22
to Wazuh mailing list
Thanks Anthony, will try it out and tell how it goes!
Fawwas Hamdi
Nov 2, 2022, 5:03:15 AM11/2/22
to Wazuh mailing list
Hello aykhan and anthony hope youre doing well im trying to monitor malware from windows machine as well already did all of the step including installing sysmon and i already confirmed that it was being read by the agent. can you show me your agent configuration file?
Reply all
Reply to author
Forward
0 new messages