Anomaly Malware Detection Through Wazuh

[trail DMARC]

Hi Connections,

I have noticed wazuh is supporting finding the malware using Anomaly detection.

I already go through the wazuh documentation and found the configuration part on file integrity monitoring which has come under Anomaly Malware Detection.

Please need help on how to implement the below things (No description in the wazuh document on how to configure/implement) to fulfill Anomaly detection.

• Check running processes
• Check hidden ports
• Check unusual files and permissions
• Check hidden files using system calls
• Scan the /dev directory
• Scan network interfaces
• Rootkit checks

I am using 2 servers, one is for wazuh manager and filebeat and the other for elasticsearch and kibana.

Best Regards,

[Tomas Benitez Vescio]

Hi,

Thanks for using Wazuh!

To check how to configure the Anomaly and Malware detection capabilities you can check this documentation. As said there, to configure the different options you would have to change the ossec.conf file, specifically the tags related to rootcheck and syscheck. 

In the documentation page for each tag you will find the different configurations options and their value, for example, for checking running processes you would use the key check_pids inside rootcheck with a value of yes although this would be optional because the default value for this key is already yes as most of the other keys for rootcheck. I will leave you the key name for each configuration you requested as well as the default configuration for rootcheck:

• Check running processes => check_pids
• Check hidden ports => check_ports
• Check unusual files and permissions => check_files
• Check hidden files using system calls => check_sys
• Scan the /dev directory => check_dev
• Scan network interfaces => check_if
• Rootkit checks => rootkit_files and rootkit_trojans

Regards.