ClamAV
805 views
Skip to first unread message
Miguel Barbero
Aug 25, 2017, 6:20:44 AM8/25/17
to Wazuh mailing list
Good morning,
we are using clamAV on our Linux Systems and we are trying to get virus alerts using your wazuh 2.1 infrastructure.
At first, we have tried to apply a common configuration to our Linux systems using /var/ossec/etc/shared/agent.conf on Wazuh Manager:
<agent_config os="Linux">
<localfile>
<location>/var/log/clamav/clamav.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
Second step, make sure we are using this new configuration at least one Linux System:
[root@465254f6f06f /]# md5sum /var/ossec/etc/shared/agent.conf
b935f4a97f3f01997b240c8bf0847d52 /var/ossec/etc/shared/agent.conf
[root@465254f6f06f /]# /var/ossec/bin/agent_control -i 283 | grep version
Client version: Wazuh v2.1.0 / 172abe98c0f15723c3eed3b83f32788f
Force a restart on wauzh manager and wazuh agent 283, later:
[root@465254f6f06f /]# /var/ossec/bin/agent_control -R -u 283
Wazuh agent_control: Restarting agent: 283
but nothing changes:
[root@465254f6f06f /]# /var/ossec/bin/agent_control -i 283 | grep version
Client version: Wazuh v2.1.0 / 172abe98c0f15723c3eed3b83f32788f
Third step, we change ossec.conf directly on the wazuh agent 283 with new setting (some output truncated):
root@xtg-gc-proxypci-02:~# cat /var/ossec/etc/ossec.conf
<!--
Wazuh - Agent - Default configuration for ubuntu 16.04
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->
...
<localfile>
<log_format>syslog</log_format>
<location>/var/log/clamav/clamav.log</location>
</localfile>
We restart the wazuh agent and cause a false virus with the eicar file. We can see as clamAV detect and write a log on /var/log/clamav/clamav.log but we are not able to see any log on the wazuh manager (/var/ossec/logs/alerts/alerts.log)
root@xtg-gc-proxypci-02:~# cat /var/log/clamav/clamav.log
-------------------------------------------------------------------------------
./eicar_false_virus.txt: Eicar-Test-Signature FOUND
We would appreciate any thoughts or tips to helps us to gather this logs on our wazuh manager.
Thanks and best regards.
Jesus Linares
Aug 26, 2017, 2:10:05 PM8/26/17
to Wazuh mailing list
Hi Miguel,
it seems that the decoders are done for other format: https://github.com/wazuh/wazuh-ruleset/blob/master/decoders/0075-clamav_decoders.xml
<!--
Nov 18 16:51:04 hostname clamd[511]: /usr/share/clamav-testfiles/clam.arj: ClamAV-Test-File(f58327b03afd2a727c3329ba3c0947a7:393) FOUND
url: '/usr/share/clamav-testfiles/clam.arj'
extra_data: 'ClamAV-Test-File'
id: 'f58327b03afd2a727c3329ba3c0947a7'
-->
<decoder name="clamd-found">
<parent>clamd</parent>
<prematch>FOUND</prematch>
<regex>(\S+):\s+(\S+)\((\S+):</regex>
<order>url, extra_data, id</order>
</decoder>You can try to adapt the decoders to your log format (https://documentation.wazuh.com/current/user-manual/ruleset/custom.html)
On the other hand, I remember to use these commands to get the clamAV log file:
- clamscan --infected -r $SCAN_DIRECTORY --log=$LOG_FILE --stdout
- Redirect to syslog: clamscan --infected -r $SCAN_DIRECTORY --log=$LOG_FILE --stdout | logger -i -t clamav
I hope it helps.
Jeremy Larose
Aug 27, 2017, 11:05:43 AM8/27/17
to Wazuh mailing list
I ran into the same issue with MacOS, will have to create a decoder for it. I'll post one here if I get a chance to get to it.
Miguel Barbero
Aug 31, 2017, 4:10:31 AM8/31/17
to Wazuh mailing list
Bingo!!
Thanks a lot Jesus!!
I wasn't using "logger" to forward the scan log to syslog and by that we wouldn't see anything.
By using "logger", I can see the alert.log on Wazuh Manager and ElasticSearch.
[root /]# tailf /var/ossec/logs/alerts/alerts.log | grep clamd
** Alert 1504166007.573136: - clamd,freshclam,virus,pci_dss_5.1,pci_dss_5.2,pci_dss_11.4,
Aug 31 07:53:27 xxx-02 clamd[14454]: /eicar_false_virus.txt: Eicar-Test-Signature FOUND
Thanks again for your great advise!!
Best regards
Jeremy Larose
Sep 7, 2017, 9:05:19 AM9/7/17
to Wazuh mailing list
I found logger doesn't play well with the new MacOS Sierra, and it actually has a whole new logging system... but this works to get ossec to detect infected files on a mac....
clamscan --infected -r $SCAN_DIRECTORY --stdout --no-summary | sed "s/^/$(date '+%b %d% %H:%M:%S') $HOSTNAME clamd: /" >> $LOG_FILE
clamscan --infected -r $SCAN_DIRECTORY --stdout --no-summary | sed "s/^/$(date '+%b %d% %H:%M:%S') $HOSTNAME clamd: /" >> $LOG_FILE
Jeremy Larose
Sep 11, 2017, 2:48:46 PM9/11/17
to Wazuh mailing list
and this works with windows if needed (bat file)...
@echo off
set Month=%date:~4,2%
if %Month%==01 set monthclamav=Jan
if %Month%==02 set monthclamav=Feb
if %Month%==03 set monthclamav=Mar
if %Month%==04 set monthclamav=Apr
if %Month%==05 set monthclamav=May
if %Month%==06 set monthclamav=Jun
if %Month%==07 set monthclamav=Jul
if %Month%==08 set monthclamav=Aug
if %Month%==09 set monthclamav=Sep
if %Month%==10 set monthclamav=Oct
if %Month%==11 set monthclamav=Nov
if %Month%==12 set monthclamav=Dec
set day=%date:~7,2%
set timeclamav=%time:~0,8%
cd $CLAMAV_DIRECTORY
freshclam
clamscan --memory -r -i $SCAN_DIRECTORY 2> nul | find "FOUND" | sed\sed -e "s/^/%monthclamav% %day% %timeclamav% %computername% clamd: /" >> $LOG_FILE
Jeremy Larose
Sep 11, 2017, 2:50:05 PM9/11/17
to Wazuh mailing list
oh ya, forgot to mention, that bat file requires sed tool to be in sed folder within clamav directory (http://gnuwin32.sourceforge.net/packages/sed.htm)
Reply all
Reply to author
Forward
0 new messages