Question - VirusTotal

[jorg...@gmail.com]

From what I understood from the documentation the VirusTotal integration has to be done on the Wazuh Manager.

is it not possible to activate this just form specific hosts or even folders?

[Dario Menten]

Hi Jorge,

Indeed, the configuration of VirusTotal Integration has to be done in the ossec.conf file in the Wazuh Manager.

However, the monitoring of files in certain folders is through a FIM feature, you have to configure this in the ossec.conf file of the agent of through Centralized configuration in the agent.conf.

With this, you can configure the FIM to monitor a certain folder in certain agent, editing the agent.conf and adding these lines:

<agent_config name="[agent_name]">

  <syscheck>

    <disabled>no</disabled>

    <frequency>43200</frequency>

    <scan_on_start>yes</scan_on_start>

    <alert_new_files>yes</alert_new_files>

    <directories check_all="yes" realtime="yes">/somedir</directories>

  </syscheck>

</agent_config>

Now you should create a custom rule to alert of every file modified in the /somedir directory:

<group name="syscheck,">

  <rule id="100100" level="7">

    <if_sid>550,554</if_sid>

    <field name="file">^/somedir/</field>

    <description>File modified or created in /vt-test directory.</description>

  </rule>

</group>

Then you can make use of the eicar test file and place it in the /somedir directory to generate the alert.

I hope this could help you achieve your goals.

I look forward to your feedback.

Kind regards.

Dario Menten

[jorg...@gmail.com]

Hi Dario,

Thank you for the info.

I don't know if I'm understanding this correctly.

I know that I can config FIM for just specific folder on specific agents, but imagine a case where I want to configure FIM on 2 folders on first host and 1 folder on a second host, but just to request virustotal for 1 folder on the first host.

From what I understood the rule you created will definitely create a log based on the folder specified where:  <field name="file">^/somedir/</field>

But won't all the file hashes still be sent to VirusTotal from all the folders?

My concern is having a lot of API calls when I just want to use virus total on a specific folder or agent that is more critical.

[Dario Menten]

Hi Jorge,

Ok I get you, I think it can be done, let me research in my lab and come back to you with more information about that.

Kind Regards.

Dario Menten

[Dario Menten]

Hi Jorge,

I was researching your query, and you can not write a rule for a specific agent, because in the log the decoder receives there is no agent information. This is the log:

{"virustotal": {"found": 1, "malicious": 1, "source": {"alert_id": "1600705610.984766", "file": "/somedir/eicar.zip", "md5": "6ce6f415d8475545be5ba114f208b0ff", "sha1": "d27265074c9eac2e2122ed69294dbc4d7cce9141"}, "sha1": "d27265074c9eac2e2122ed69294dbc4d7cce9141", "scan_date": "2020-09-21 11:39:50", "positives": 56, "total": 60, "permalink": "https://www.virustotal.com/gui/file/2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad/detection/f-2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad-1600688390"}, "integration": "virustotal"}
If you manage alerts by email, then you can filter the agent and the level of the alert you want to receive: https://documentation.wazuh.com/3.13/user-manual/manager/manual-email-report/#email-alert-based-on-level-and-agent

I hope to be helpful.

I look forward to your feedback.

Kind regards.

Dario Menten

[jorg...@gmail.com]

Hi Dario,

Thank you for the explanation.

I think it would be a good addition to have the ability to specify if the hash should be sent to virus total or not depending on the agent and/or the folder

This is mainly because of the number of requests to the Virus Total API

Maybe something the development team can add later.

Thank you

[Dario Menten]

Hi Jorge,

I definitely suggest that to dev team. Also, have in mind that restriction from VirusTotal just for the Public API, they have a Premium API you can use without restrictions and it also delivers more threat data.

I leave you the documentation regarding to Public vs Premium API.

I hope to be helpful.

Kind Regards.

Darío Menten

[jorg...@gmail.com]

Hi Dario,

Thank you for suggesting to the dev team.

Regarding the virustotal premium, the problem is that they have price packages (at least the last time I talked to them) with API limits: 

500/per day - X price, 

1000/per day - Y price, 

and so on.

Só limiting the number of API calls can be useful to reduce costs.

[John S. Galliano]

How do you limit the number of VT api calls?

[Dario Menten]

Hello John,
You can do this either only by monitoring specific directories or by setting up rules specific for VirusTotal checks.
An example of monitoring specific directories could be:

<syscheck>
  <directories check_all="yes" whodata="yes">C:\Users\*\Documents</directories>
  <directories check_all="yes" whodata="yes">C:\Users\*\Desktop</directories>
  <directories check_all="yes" whodata="yes">C:\Users\*\Downloads</directories>
  <ignore type="sregex">.ini$|.jpg$|.png$|.lnk$|.log$|.txt$</ignore>
</syscheck>

As you can see, you can also set it to ignore some file types since they are not usually malicious.

An example of filtering the alerts by setting up a rule group, where you can categorize these alerts and then configure the VirusTotal integration:

<group name="threat-intel,">

  <rule id="444556" level="13">
    <if_group>syscheck</if_group>
    <field name="file">^c:\\users\\\.+.exe$|^c:\\users\\\.+.bat$|^c:\\users\\\.+.cmd$|^c:\\users\\\.+.com$|^c:\\users\\\.+.ps1$|^c:\\users\\\.+.vbs$|^c:\\users\\\.+.vb$|^c:\\users\\\.+.wsf$|^c:\\users\\\.+.ws$|^c:\\users\\\.+.scr$</field>
    <description>Dangerous File copied on users folder: $(file)</description>
  </rule>

</group>

<integration>
  <name>virustotal</name>
  <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
  <group>threat-intel</group>
  <alert_format>json</alert_format>
</integration>

In this way, you can filter and therefore limit the files checked against VirusTotal.
I hope this could be helpful.

​

[tmz]

Hi!

I just came to the same question: how to limit VirusTotal not to watch all directories specified with syscheck. In my opinion even better solution would be to separately define those two settings. 

Let me elaborate. I would like to monitor almost the whole disk for massive changes of files (what is crypto locker doing) - lets say I would like to be notified if more than 10 documents change in 10 seconds (for example). But I don't want all these directories to be checked on VirusTotal, but only Documents,  Desktop and Downloads. 

The above suggestion from dario is ok but I would like to have checked different directories for different agent groups. Is it possible to have condition on agent group in a rule? I don't see usable field in the event for this purpose? "agent.group" or something similar would be fine to have?

For testing purposes I modified darios rule (444556) to check only specific directory (changed field name="file" tag)

```

<field name="file">D:\\tmp\\TestWazuh1</field>

```

Now I have a problem that this rule (from dario) 444556 causes that my rule, which checks for crypto virus actions, is not triggered. Therefore directory "D:\\tmp\\TestWazuh1" is only checked on VirusTotal but is not checked for a lot of files generated in a short time period. 

Regarding limiting the number of VT calls I noticed that check on VirusTotal is also done on deleted documents. I think this is not strictly necessary. 

Best regards, Tomaz