Virus Total integration done but not generating alerts
1,280 views
Skip to first unread message
Oscar Lopez
Jun 7, 2019, 3:39:26 AM6/7/19
to Wazuh mailing list
Dear all,
I have successfully made a virus total integration, but finally system does not generate alerts.
Actually I am trying to test the generation of an alert and the configuration using eicar file.
I have running sever version Wazuh v3.8.2 - Wazuh Inc., and also 3.8.2 version on a wazuh-agent.
I have checked "integrator.log" and see an output when downloading eicar file
Thu Jun 06 13:59:47 UTC 2019: 1:[003] (DESKTOP-DJ7F955) 192.168.15.166->virustotal:{"virustotal": {"permalink": "https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1559829032/", "sha1": "3395856ce81f2b7382dee72602f798b642f14140", "malicious": 1, "source": {"alert_id": "1559829557.1123306", "sha1": "3395856ce81f2b7382dee72602f798b642f14140", "file": "c:\\users\\wadmin\\downloads\\eicar.com.txt", "md5": "44d88612fea8a8f36de82e1278abb02f"}, "positives": 63, "found": 1, "total": 64, "scan_date": "2019-06-06 13:50:32"}, "integration": "virustotal"}
Also tested the output in the "archives.json" file with ossec-logtest
{"timestamp":"2019-06-06T13:59:48.941+0000","agent":{"id":"003","name":"DESKTOP-DJ7F955","ip":"192.168.15.166"},"manager":{"name":"risk-server"},"id":"1559829588.1123306","full_log":"{\"virustotal\": {\"permalink\": \"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1559829032/\", \"sha1\": \"3395856ce81f2b7382dee72602f798b642f14140\", \"malicious\": 1, \"source\": {\"alert_id\": \"1559829557.1123306\", \"sha1\": \"3395856ce81f2b7382dee72602f798b642f14140\", \"file\": \"c:\\\\users\\\\wadmin\\\\downloads\\\\eicar.com.txt\", \"md5\": \"44d88612fea8a8f36de82e1278abb02f\"}, \"positives\": 63, \"found\": 1, \"total\": 64, \"scan_date\": \"2019-06-06 13:50:32\"}, \"integration\": \"virustotal\"}","decoder":{"name":"json"},"location":"virustotal"}
**Phase 1: Completed pre-decoding.
full event: '{"timestamp":"2019-06-06T13:59:48.941+0000","agent":{"id":"003","name":"DESKTOP-DJ7F955","ip":"192.168.15.166"},"manager":{"name":"risk-server"},"id":"1559829588.1123306","full_log":"{\"virustotal\": {\"permalink\": \"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1559829032/\", \"sha1\": \"3395856ce81f2b7382dee72602f798b642f14140\", \"malicious\": 1, \"source\": {\"alert_id\": \"1559829557.1123306\", \"sha1\": \"3395856ce81f2b7382dee72602f798b642f14140\", \"file\": \"c:\\\\users\\\\wadmin\\\\downloads\\\\eicar.com.txt\", \"md5\": \"44d88612fea8a8f36de82e1278abb02f\"}, \"positives\": 63, \"found\": 1, \"total\": 64, \"scan_date\": \"2019-06-06 13:50:32\"}, \"integration\": \"virustotal\"}","decoder":{"name":"json"},"location":"virustotal"}'
timestamp: '(null)'
hostname: 'risk-server'
program_name: '(null)'
log: '{"timestamp":"2019-06-06T13:59:48.941+0000","agent":{"id":"003","name":"DESKTOP-DJ7F955","ip":"192.168.15.166"},"manager":{"name":"risk-server"},"id":"1559829588.1123306","full_log":"{\"virustotal\": {\"permalink\": \"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1559829032/\", \"sha1\": \"3395856ce81f2b7382dee72602f798b642f14140\", \"malicious\": 1, \"source\": {\"alert_id\": \"1559829557.1123306\", \"sha1\": \"3395856ce81f2b7382dee72602f798b642f14140\", \"file\": \"c:\\\\users\\\\wadmin\\\\downloads\\\\eicar.com.txt\", \"md5\": \"44d88612fea8a8f36de82e1278abb02f\"}, \"positives\": 63, \"found\": 1, \"total\": 64, \"scan_date\": \"2019-06-06 13:50:32\"}, \"integration\": \"virustotal\"}","decoder":{"name":"json"},"location":"virustotal"}'
**Phase 2: Completed decoding.
decoder: 'json'
Decoder phase is completed, and it stops without generating alert.
I have checked that my rule file is present in the correct path ..\rules\0490-virustotal_rules.xml
So finally wazuh-server is not generating alerts on this event.
I really appreciate your opinion and any ideas to debugging whai is going on,
Many thanks,
Oscar
Alberto Marín
Jun 7, 2019, 5:04:10 AM6/7/19
to Wazuh mailing list
Hi Oscar,
to try to determine the cause of the problem, please enable the debug mode in `ossec-integratord`.
Stop the daemon with
and then restart it using the debug mode:
Once the daemon is running, add the test file into the monitored folder. The following message should be showed:
If the VirusTotal integration receives the message indicating that the file is malicious, you will get an alert in the alerts.log file:
to try to determine the cause of the problem, please enable the debug mode in `ossec-integratord`.
Stop the daemon with
pkill ossec-integratordand then restart it using the debug mode:
/var/ossec/bin/ossec-integratord -fdd
Once the daemon is running, add the test file into the monitored folder. The following message should be showed:
2019/06/07 10:37:54 ossec-integratord[38167] integrator.c:131 at OS_IntegratorD(): DEBUG: sending new alert.
2019/06/07 10:37:54 ossec-integratord[38167] integrator.c:263 at OS_IntegratorD(): DEBUG: file /tmp/virustotal-1559896674--327569001.alert was written.
2019/06/07 10:37:54 ossec-integratord[38167] integrator.c:389 at OS_IntegratorD(): DEBUG: Running: /var/ossec/integrations/virustotal /tmp/virustotal-1559896674--327569001.alert xxxxxxxapikeyxxxx debug
2019/06/07 10:37:55 ossec-integratord[38167] integrator.c:399 at OS_IntegratorD(): DEBUG: integratord: Fri Jun 07 10:37:54 CEST 2019: # Starting
2019/06/07 10:37:55 ossec-integratord[38167] integrator.c:399 at OS_IntegratorD(): DEBUG: integratord: Fri Jun 07 10:37:54 CEST 2019: # API Key
...
2019/06/07 10:37:55 ossec-integratord[38167] integrator.c:399 at OS_IntegratorD(): DEBUG: integratord: Fri Jun 07 10:37:54 CEST 2019: 1:virustotal:{"virustotal": {"permalink": "https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1559896527/", "sha1": "3395856ce81f2b7382dee72602f798b642f14140", "malicious": 1, "source": {"alert_id": "1559896673.57793", "sha1": "3395856ce81f2b7382dee72602f798b642f14140", "file": "/root/prueba/eicar.com.txt", "md5": "44d88612fea8a8f36de82e1278abb02f"}, "positives": 61, "found": 1, "total": 62, "scan_date": "2019-06-07 08:35:27"}, "integration": "virustotal"}
2019/06/07 10:37:55 ossec-integratord[38167] integrator.c:414 at OS_IntegratorD(): DEBUG: Command ran successfully** Alert 1559896675.58318: mail - virustotal,gdpr_IV_35.7.d,
2019 Jun 07 10:37:55 ubuntu1710->virustotal
Rule: 87105 (level 12) -> 'VirusTotal: Alert - /root/prueba/eicar.com.txt - 61 engines detected this file'
{"virustotal": {"permalink": "https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1559896527/", "sha1": "3395856ce81f2b7382dee72602f798b642f14140", "malicious": 1, "source": {"alert_id": "1559896673.57793", "sha1": "3395856ce81f2b7382dee72602f798b642f14140", "file": "/root/prueba/eicar.com.txt", "md5": "44d88612fea8a8f36de82e1278abb02f"}, "positives": 61, "found": 1, "total": 62, "scan_date": "2019-06-07 08:35:27"}, "integration": "virustotal"}
virustotal.permalink: https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1559896527/
virustotal.sha1: 3395856ce81f2b7382dee72602f798b642f14140
virustotal.malicious: 1
virustotal.source.alert_id: 1559896673.57793
virustotal.source.sha1: 3395856ce81f2b7382dee72602f798b642f14140
virustotal.source.file: /root/prueba/eicar.com.txt
virustotal.source.md5: 44d88612fea8a8f36de82e1278abb02f
virustotal.positives: 61
virustotal.found: 1
virustotal.total: 62
virustotal.scan_date: 2019-06-07 08:35:27
integration: virustotalIf the integration fails, the error will be shown in the `ossec-remoted` log and will give information about the cause of the problem.
Hope this helps. Do not hesitate to contact us, if the problem persists.
Best regards.
Hope this helps. Do not hesitate to contact us, if the problem persists.
Best regards.
Oscar Lopez
Jun 7, 2019, 6:36:00 AM6/7/19
to Wazuh mailing list
Hi Alberto,
Thanks for your thoughts, the issue is that the integratord process seems to be working correctly with no errors, but again I do not see an alert generated in the alerts.log file
I have just checked the archives.log and it is been successfully logged. As mentioned in previous message
Also find below the output of the integratord debug, which seems to end with no errors...
2019/06/07 10:00:29 ossec-integratord[5615] integrator.c:399 at OS_IntegratorD(): DEBUG: integratord: Fri Jun 07 10:00:28 UTC 2019: # File location
2019/06/07 10:00:29 ossec-integratord[5615] integrator.c:399 at OS_IntegratorD(): DEBUG: integratord:
2019/06/07 10:00:29 ossec-integratord[5615] integrator.c:399 at OS_IntegratorD(): DEBUG: integratord: Fri Jun 07 10:00:28 UTC 2019: /tmp/virustotal-1559901627-1936916424.alert
2019/06/07 10:00:29 ossec-integratord[5615] integrator.c:399 at OS_IntegratorD(): DEBUG: integratord:
2019/06/07 10:00:29 ossec-integratord[5615] integrator.c:399 at OS_IntegratorD(): DEBUG: integratord: Fri Jun 07 10:00:28 UTC 2019: # Processing alert
2019/06/07 10:00:29 ossec-integratord[5615] integrator.c:399 at OS_IntegratorD(): DEBUG: integratord:
2019/06/07 10:00:29 ossec-integratord[5615] integrator.c:399 at OS_IntegratorD(): DEBUG: integratord: Fri Jun 07 10:00:28 UTC 2019: {u'full_log': u"File 'c:\\users\\wadmin\\downloads\\eicarcom2 (1).zip' was added.\n", u'timestamp': u'2019-06-07T10:00:26.607+0000', u'agent': {u'ip': u'192.168.15.166', u'id': u'003', u'name': u'DESKTOP-DJ7F955'}, u'syscheck': {u'attrs_after': [u'ARCHIVE'], u'sha1_after': u'bec1b52d350d721c7e22a6d4bb0a92909893a3ae', u'size_after': u'308', u'uid_after': u'S-1-5-21-709713298-3484327148-2998407370-1001', u'event': u'added', u'mtime_after': u'2019-06-07T10:00:24', u'uname_after': u'wAdmin', u'path': u'c:\\users\\wadmin\\downloads\\eicarcom2 (1).zip', u'win_perm_after': [{u'name': u'SYSTEM', u'allowed': [u'DELETE', u'READ_CONTROL', u'WRITE_DAC', u'WRITE_OWNER', u'SYNCHRONIZE', u'FILE_READ_DATA', u'FILE_WRITE_DATA', u'FILE_APPEND_DATA', u'FILE_READ_EA', u'FILE_WRITE_EA', u'FILE_EXECUTE', u'FILE_READ_ATTRIBUTES', u'FILE_WRITE_ATTRIBUTES']}, {u'name': u'Administrators', u'allowed': [u'DELETE', u'READ_CONTROL', u'WRITE_DAC', u'WRITE_OWNER', u'SYNCHRONIZE', u'FILE_READ_DATA', u'FILE_WRITE_DATA', u'FILE_APPEND_DATA', u'FILE_READ_EA', u'FILE_WRITE_EA', u'FILE_EXECUTE', u'FILE_READ_ATTRIBUTES', u'FILE_WRITE_ATTRIBUTES']}, {u'name': u'wAdmin', u'allowed': [u'DELETE', u'READ_CONTROL', u'WRITE_DAC', u'WRITE_OWNER', u'SYNCHRONIZE', u'FILE_READ_DATA', u'FILE_WRITE_DATA', u'FILE_APPEND_DATA', u'FILE_READ_EA', u'FILE_WRITE_EA', u'FILE_EXECUTE', u'FILE_READ_ATTRIBUTES', u'FILE_WRITE_ATTRIBUTES']}], u'sha256_after': u'e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397', u'md5_after': u'e4968ef99266df7c9a1f0637d2389dab'}, u'manager': {u'name': u'server'}, u'rule': {u'firedtimes': 1, u'description': u'Alert: Added content on monitorized directory', u'level': 16, u'groups': [u'windows'], u'mail': True, u'id': u'100009'}, u'decoder': {u'name': u'syscheck_new_entry'}, u'id': u'1559901626.134618', u'location': u'syscheck'}
2019/06/07 10:00:29 ossec-integratord[5615] integrator.c:399 at OS_IntegratorD(): DEBUG: integratord:
2019/06/07 10:00:29 ossec-integratord[5615] integrator.c:399 at OS_IntegratorD(): DEBUG: integratord: Fri Jun 07 10:00:28 UTC 2019: {'virustotal': {'permalink': u'https://www.virustotal.com/file/e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397/analysis/1559720182/', 'sha1': u'bec1b52d350d721c7e22a6d4bb0a92909893a3ae', 'malicious': 1, 'source': {'alert_id': u'1559901626.134618', 'sha1': u'bec1b52d350d721c7e22a6d4bb0a92909893a3ae', 'file': u'c:\\users\\wadmin\\downloads\\eicarcom2 (1).zip', 'md5': u'e4968ef99266df7c9a1f0637d2389dab'}, 'positives': 54, 'found': 1, 'total': 63, 'scan_date': u'2019-06-05 07:36:22'}, 'integration': 'virustotal'}
2019/06/07 10:00:29 ossec-integratord[5615] integrator.c:399 at OS_IntegratorD(): DEBUG: integratord:
2019/06/07 10:00:29 ossec-integratord[5615] integrator.c:399 at OS_IntegratorD(): DEBUG: integratord: Fri Jun 07 10:00:28 UTC 2019: 1:[003] (DESKTOP-DJ7F955) 192.168.15.166->virustotal:{"virustotal": {"permalink": "https://www.virustotal.com/file/e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397/analysis/1559720182/", "sha1": "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "malicious": 1, "source": {"alert_id": "1559901626.134618", "sha1": "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "file": "c:\\users\\wadmin\\downloads\\eicarcom2 (1).zip", "md5": "e4968ef99266df7c9a1f0637d2389dab"}, "positives": 54, "found": 1, "total": 63, "scan_date": "2019-06-05 07:36:22"}, "integration": "virustotal"}
2019/06/07 10:00:29 ossec-integratord[5615] integrator.c:399 at OS_IntegratorD(): DEBUG: integratord:
2019/06/07 10:00:29 ossec-integratord[5615] integrator.c:414 at OS_IntegratorD(): DEBUG: Command ran successfully
Only an alert associated to file integrity monitoring is triggered but not associated to VirusTotal
** Alert 1559901489.133347: mail - windows
2019 Jun 07 09:58:09 (DESKTOP-DJ7F955) 192.168.15.166->syscheckRule: 100009 (level 16) -> 'Alert: Added content on monitorized directory'File 'c:\users\wadmin\downloads\eicar_com.zip' was addedThanks again for your ideas,
Oscar
Alberto Marín
Jun 7, 2019, 9:08:39 AM6/7/19
to Wazuh mailing list
Hi Oscar,
ossec-integratord is working as expected. I can see in you last message that you added custom rules for syscheck. Did you also make modifications in the VirusTotal rules?
I've used the log from ossec-integratord you provided and it generates an alert with the default ruleset:
ossec-integratord is working as expected. I can see in you last message that you added custom rules for syscheck. Did you also make modifications in the VirusTotal rules?
I've used the log from ossec-integratord you provided and it generates an alert with the default ruleset:
2019/06/07 14:44:20 ossec-testrule: INFO: Started (pid: 38789).
ossec-testrule: Type one log per line.
{"virustotal": {"permalink": "https://www.virustotal.com/file/e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397/analysis/1559720182/", "sha1": "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "malicious": 1, "source": {"alert_id": "1559901626.134618", "sha1": "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "file": "c:\\users\\wadmin\\downloads\\eicarcom2 (1).zip", "md5": "e4968ef99266df7c9a1f0637d2389dab"}, "positives": 54, "found": 1, "total": 63, "scan_date": "2019-06-05 07:36:22"}, "integration": "virustotal"}
**Phase 1: Completed pre-decoding.
full event: '{"virustotal": {"permalink": "https://www.virustotal.com/file/e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397/analysis/1559720182/", "sha1": "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "malicious": 1, "source": {"alert_id": "1559901626.134618", "sha1": "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "file": "c:\\users\\wadmin\\downloads\\eicarcom2 (1).zip", "md5": "e4968ef99266df7c9a1f0637d2389dab"}, "positives": 54, "found": 1, "total": 63, "scan_date": "2019-06-05 07:36:22"}, "integration": "virustotal"}'
timestamp: '(null)'
hostname: 'ubuntu1710'
program_name: '(null)'
log: '{"virustotal": {"permalink": "https://www.virustotal.com/file/e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397/analysis/1559720182/", "sha1": "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "malicious": 1, "source": {"alert_id": "1559901626.134618", "sha1": "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "file": "c:\\users\\wadmin\\downloads\\eicarcom2 (1).zip", "md5": "e4968ef99266df7c9a1f0637d2389dab"}, "positives": 54, "found": 1, "total": 63, "scan_date": "2019-06-05 07:36:22"}, "integration": "virustotal"}'
**Phase 2: Completed decoding.
decoder: 'json'
virustotal.permalink: 'https://www.virustotal.com/file/e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397/analysis/1559720182/'
virustotal.sha1: 'bec1b52d350d721c7e22a6d4bb0a92909893a3ae'
virustotal.malicious: '1'
virustotal.source.alert_id: '1559901626.134618'
virustotal.source.sha1: 'bec1b52d350d721c7e22a6d4bb0a92909893a3ae'
virustotal.source.file: 'c:\users\wadmin\downloads\eicarcom2 (1).zip'
virustotal.source.md5: 'e4968ef99266df7c9a1f0637d2389dab'
virustotal.positives: '54'
virustotal.found: '1'
virustotal.total: '63'
virustotal.scan_date: '2019-06-05 07:36:22'
integration: 'virustotal'
**Phase 3: Completed filtering (rules).
Rule id: '87105'
Level: '12'
Description: 'VirusTotal: Alert - c:\users\wadmin\downloads\eicarcom2 (1).zip - 54 engines detected this file'
**Alert to be generated.Best regards.
On Friday, June 7, 2019 at 9:39:26 AM UTC+2, Oscar Lopez wrote:
Oscar Lopez
Jun 10, 2019, 7:07:38 AM6/10/19
to Wazuh mailing list
Hi Arberto
Yes I have a local rule, on /var/ossec/etc/rules/local_rules.xml
<group name="windows">
<rule id="100009" level="16"> <if_sid>554</if_sid> <description>Alert: Added content on monitorized directory</description> </rule>
</group>I have removed my local_rules.xml and it still remains, and the issue ossec-logtest does not progress... as mentioned on my first entry on this and phase 2 stops with no more info...
**Phase 2: Completed decoding.
decoder: 'json'
I have noticed that my json decoder is
<!--- JSON Decoders- Copyright (C) 2015-2019, Wazuh Inc.- April 21, 2017.-- This program is a free software; you can redistribute it- and/or modify it under the terms of the GNU General Public- License (version 2) as published by the FSF - Free Software- Foundation.-->
<decoder name="json"> <prematch>^{\s*"</prematch> <plugin_decoder>JSON_Decoder</plugin_decoder></decoder>
<decoder name="pnp_device_id"> <parent>json</parent> <regex>USBSTOR#Disk&Ven_(\S*)&Prod_(\S*)&Rev_(\.*)#(\S*)&0#\S*\s</regex> <order>usb.vendor, usb.product, usb.rev, usb.serial_number</order></decoder>
<decoder name="pnp_device_id_2"> <parent>json</parent> <regex>USBSTOR#Disk&Ven_(\S*)&Prod_(\S*)&Rev_(\.*)#(\S*)&0#\S*\s</regex> <order>usb.vendor, usb.product, usb.rev, usb.serial_number</order></decoder>I have removed the new content added and it works finally... from my ossec-logtest output
{"virustotal": {"permalink": "https://www.virustotal.com/file/e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397/analysis/1559720182/", "sha1": "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "malicious": 1, "source": {"alert_id": "1559901626.134618", "sha1": "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "file": "c:\\users\\wadmin\\downloads\\eicarcom2 (1).zip", "md5": "e4968ef99266df7c9a1f0637d2389dab"}, "positives": 54, "found": 1, "total": 63, "scan_date": "2019-06-05 07:36:22"}, "integration": "virustotal"}
**Phase 1: Completed pre-decoding. full event: '{"virustotal": {"permalink": "https://www.virustotal.com/file/e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397/analysis/1559720182/", "sha1": "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "malicious": 1, "source": {"alert_id": "1559901626.134618", "sha1": "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "file": "c:\\users\\wadmin\\downloads\\eicarcom2 (1).zip", "md5": "e4968ef99266df7c9a1f0637d2389dab"}, "positives": 54, "found": 1, "total": 63, "scan_date": "2019-06-05 07:36:22"}, "integration": "virustotal"}' timestamp: '(null)' hostname: 'risk-server' program_name: '(null)' log: '{"virustotal": {"permalink": "https://www.virustotal.com/file/e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397/analysis/1559720182/", "sha1": "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "malicious": 1, "source": {"alert_id": "1559901626.134618", "sha1": "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "file": "c:\\users\\wadmin\\downloads\\eicarcom2 (1).zip", "md5": "e4968ef99266df7c9a1f0637d2389dab"}, "positives": 54, "found": 1, "total": 63, "scan_date": "2019-06-05 07:36:22"}, "integration": "virustotal"}'
**Phase 2: Completed decoding. decoder: 'json' virustotal.permalink: 'https://www.virustotal.com/file/e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397/analysis/1559720182/' virustotal.sha1: 'bec1b52d350d721c7e22a6d4bb0a92909893a3ae' virustotal.malicious: '1' virustotal.source.alert_id: '1559901626.134618' virustotal.source.sha1: 'bec1b52d350d721c7e22a6d4bb0a92909893a3ae' virustotal.source.file: 'c:\users\wadmin\downloads\eicarcom2 (1).zip' virustotal.source.md5: 'e4968ef99266df7c9a1f0637d2389dab' virustotal.positives: '54' virustotal.found: '1' virustotal.total: '63' virustotal.scan_date: '2019-06-05 07:36:22' integration: 'virustotal'
**Phase 3: Completed filtering (rules). Rule id: '87105' Level: '12' Description: 'VirusTotal: Alert - c:\users\wadmin\downloads\eicarcom2 (1).zip - 54 engines detected this file'**Alert to be generated.So finally is solved
But my question now is: how decoder process works? I assumed that they followed a herirachical search that when you match a node, if there are other nodes which parent is the previous one, they are analyzed also to perform a most accurate decoding. Is this approach correct?
Thank you again in advance
Best regards
Oscar
Alberto Marín
Jun 10, 2019, 7:52:37 AM6/10/19
to Wazuh mailing list
Hi Oscar,
I am glad that you solved the issue.
The problem was that you added a child to the JSON decoder. The JSON decoder decodes all the fields included in a JSON string, so no child decoders are needed.
Here you can find more information about the JSON decoder: https://documentation.wazuh.com/current/user-manual/ruleset/json-decoder.html
Regarding the decoder process you mentioned, your approach is correct. The decoder process performs a hierarchical search and returns the most accurate decoder that matches with the specified log. In some cases, there are some decoders which are used combined to extract specific fields. For example the "windows_fields" decoder: https://github.com/wazuh/wazuh/blob/3.9/etc/decoders/0380-windows_decoders.xml#L611
Hope this helps. We will be happy to answer any questions you might have.
I am glad that you solved the issue.
The problem was that you added a child to the JSON decoder. The JSON decoder decodes all the fields included in a JSON string, so no child decoders are needed.
Here you can find more information about the JSON decoder: https://documentation.wazuh.com/current/user-manual/ruleset/json-decoder.html
Regarding the decoder process you mentioned, your approach is correct. The decoder process performs a hierarchical search and returns the most accurate decoder that matches with the specified log. In some cases, there are some decoders which are used combined to extract specific fields. For example the "windows_fields" decoder: https://github.com/wazuh/wazuh/blob/3.9/etc/decoders/0380-windows_decoders.xml#L611
Hope this helps. We will be happy to answer any questions you might have.
Best regards.
On Friday, June 7, 2019 at 9:39:26 AM UTC+2, Oscar Lopez wrote:
donetz errasti
Jun 10, 2019, 9:54:19 AM6/10/19
to Wazuh mailing list
Hi Oscar,
How did you integrate VirusTotal to Wazuh?Hace you done with premium API Key? I would really appreciate your help in order to success in this integration.
Thanks you
Alberto Marín
Jun 10, 2019, 10:30:10 AM6/10/19
to Wazuh mailing list
Hi Donetz,
to enable this integration, you can follow the VirusTotal integration documentation here:
https://documentation.wazuh.com/current/user-manual/capabilities/virustotal-scan/index.html
You can use the free API key (4 requests/minute rate) or the Premium API key.
Please let me know if you need any further assistance.
to enable this integration, you can follow the VirusTotal integration documentation here:
https://documentation.wazuh.com/current/user-manual/capabilities/virustotal-scan/index.html
You can use the free API key (4 requests/minute rate) or the Premium API key.
Please let me know if you need any further assistance.
Best regards.
On Friday, June 7, 2019 at 9:39:26 AM UTC+2, Oscar Lopez wrote:
Reply all
Reply to author
Forward
0 new messages