cant test URLhaus

[Henry Valero]

Hi all,

How can I test the functionality of this case on Wazuh and URLhaus?
When I test with this command which is in the article (https://wazuh.com/blog/detecting-malicious-urls-using-wazuh-and-urlhaus/) it does not generate any events because the link is down or not available.

#curl -A "BlackSun" http://pastebin.com/raw/ZkwP7zPF

Atte,

Henry

[Pablo Ariel Gonzalez]

Hi Henry

     What you indicate is correct. Let me check it and I will confirm how we can revise it as soon as possible.

[Pablo Ariel Gonzalez]

Henry:

     I have been able to confirm the following with respect to your inquiry:

The deployment uses Suricata as an IDS, and when Suricata detects any issue, it triggers a rule, which in turn triggers an AR script. There are two steps to it:

1. We run a query to Pastebin, and Suricata detects the user agent used as malicious. What is important here is the user agent and not the document on Pastebin.
2. The Suricata rule then triggers URLHaus to scan the URL, and URLHaus sees "pastebin.com" and flags it as a domain used to deploy malware. Here, what is important is "pastebin.com" not the subdirectory, URLHaus will only check the TLD and not subdirectories.

In summary, the command should still work:

curl -A "BlackSun" http://pastebin.com/

[Pablo Ariel Gonzalez]

Hi Henry:

     Did you see my previous comment? If you have any doubts or questions please do not hesitate to contact us.

[Henry Valero]

Hi Pablo:

thanks for the response.

[Pablo Ariel Gonzalez]

Hi Henry,

    I hope this helps. Let us know if you need anything else.

Thanks,