malicious file remove
77 views
Skip to first unread message
utku can güzel
Oct 31, 2022, 2:30:48 PM10/31/22
to Wazuh mailing list
Hi everyone;
I integreted misp and I detected malicious file but ı want to detect and remove with misp. Not virustotal because virustotal has limited remove files for free plan.
I integreted misp and I detected malicious file but ı want to detect and remove with misp. Not virustotal because virustotal has limited remove files for free plan.
Jose Camargo
Oct 31, 2022, 8:38:41 PM10/31/22
to Wazuh mailing list
Hi Utku, thank you for using Wazuh!
In order to integrate with MISP (and have something similar to the VirusTotal integration), you will need to write a script. In some cases, it is possible to just edit the ossec.conf configuration with your credentials or API key, but this is only for integrations that we already have a script for. These integrations are Slack, VirusTotal and PagerDuty. In fact, if you go this path: /var/ossec/integrations/, you should be able to see the corresponding scripts to each tool.
We also have an example of an integration with Jira in the following blog, where this integration is used to explain how to write a custom script.
In order to integrate with MISP, you will have to follow the steps explained in the blog, but the script will have to be a little bit different. As in the Jira example, you will need to select the file to which all the alerts are arriving (by default, it will be alerts.json). Then, we will need to set the group condition. It will look something similar to if "syslog" in alerts["rules"]["groups"], taking into account that the alerts variable is the information from the alerts.json file. Then, making use of the MISP API, you can forward this alert to the MISP tool. I have found in their documentation the call I think you will have to perform in order to add an event, but you can check all their documentation here. Once the event is scanned, you can forward the result to Wazuh. Not sure if you will need to write decoders and rules for these events, but in that case, I will leave here this link explaining how to create custom decoders and rules.
Then you can manage the integration by editing the Wazuh manager configuration file:
/var/ossec/etc/ossec.conf
and adding the following code block inside the <ossec_config> section:
<integration>
<name> </name>
<hook_url> </hook_url>
<api_key> </api_key> <!-- Optional filters -->
<rule_id> </rule_id>
<level> </level>
<group> </group>
<event_location> </event_location>
</integration>
<name> </name>
<hook_url> </hook_url>
<api_key> </api_key> <!-- Optional filters -->
<rule_id> </rule_id>
<level> </level>
<group> </group>
<event_location> </event_location>
</integration>
Then, you should include the MISP API key at the api_key field and, in case the API provides it, it's recommended to add the API's URL in the hook_url field. You can check some configuration examples in this post.
Then, restart the wazuh-manager service:
systemctl restart wazuh-manager
Please let me know if you need help with anything else.
Regards,
Jose Camargo
Reply all
Reply to author
Forward
0 new messages