Integration to virus total fail

[Wazuh User 0361]

Hello,

Need help.. integration to virus total fail

ossec.log

-------------------

2023/05/05 13:14:16 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2023/05/05 13:14:16 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: requests.exceptions.ConnectionError: HTTPSConnectionPool(host='www.virustotal.com', port=443): Max retries exceeded with url: /vtapi/v2/file/report?apikey=(my virus total api key)&resource=38710121bd3c007dcc623f549b568d1d (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f169fc56d30>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
 
2023/05/05 13:14:16 wazuh-integratord: ERROR: Exit status was: 1

integration.log

------------------

Fri May 05 13:14:06 +08 2023 /tmp/virustotal-1683263644--1637053651.alert  (my virus total api key)   > /dev/null 2>&1

ossec.conf

--------------

<integration>
  <name>virustotal</name>
  <api_key>(my virus total api key)</api_key> <!-- Replace with your VirusTotal API key -->
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>

My system :

Wazuh :

App version: 4.4.1

App revision: 01

Server : Ubuntu 22.04.2 LTS

DNS config :

nameserver 8.8.8.8

Additional info : I use proxy system through internet in my environment server

Thankyou

[suricata]

Hello,

What I see there is that there is no connection to the outside. VirusTotal cannot check the API or connect to your database.

Regards,

[Wazuh User 0361]

Hello,

Thankyou for your response

I think my connection to outside is not problem, because i still can reach others website

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/998e3357-0b8d-463d-804f-a64b622a56c5n%40googlegroups.com.

[Abdullah Al Rafi Fahim]

Hello Wazuh User,

This looks like a connectivity issue. To troubleshoot this further, can you try to run the following commands in your server and let us know the output here?

ping www.virustotal.com

curl -v https://www.virustotal.com/vtapi/v2/file/report

I will wait for your response here.

[Wazuh User 0361]

here is for result

# ping www.virustotal.com

ping: www.virustotal.com: Temporary failure in name resolution

# curl -v https://www.virustotal.com/vtapi/v2/file/report
* Uses proxy env variable https_proxy == 'http://my proxy ip:8080/'
*   Trying my proxy ip:8080...
* Connected to (nil) (my proxy ip) port 8080 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.virustotal.com:443
> CONNECT www.virustotal.com:443 HTTP/1.1
> Host: www.virustotal.com:443
> User-Agent: curl/7.81.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection Established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=ES; L=Malaga; O=VirusTotal SL; CN=*.virustotal.com
*  start date: Dec 12 00:00:00 2022 GMT
*  expire date: Jan 12 23:59:59 2024 GMT
*  subjectAltName: host "www.virustotal.com" matched cert's "*.virustotal.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x55fff092fe90)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /vtapi/v2/file/report HTTP/2
> Host: www.virustotal.com
> user-agent: curl/7.81.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 403
< content-type: text/html; charset=utf-8
< cache-control: no-cache
< x-cloud-trace-context: 568aea02ca72c9ef1732df31978fddbb
< date: Fri, 05 May 2023 08:44:26 GMT
< server: Google Frontend
< content-length: 0
<
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Connection #0 to host (nil) left intact

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/02250527-e625-44ca-8c49-35e9a8f1384en%40googlegroups.com.

[Wazuh User 0361]

i try with this command too

curl https://www.virustotal.com/vtapi/v2/file/report -F resource=1394942aef881f6fa872e0ce8c604bccb0ece22693b4fb5a5db0f5f2e6979f5e -F apikey=<vt-api-key>

result is OK, i get the result from virus total

# curl https://www.virustotal.com/vtapi/v2/file/report -F resource=1394942aef881f6fa872e0ce8c604bccb0ece22693b4fb5a5db0f5f2e6979f5e -F apikey=(my api key)
{"scans": {"Bkav": {"detected": false, "version": "1.3.0.9899", "result": null, "update": "20211209"}, "Lionic": {"detected": true, "version": "4.2", "result": "Trojan.Win32.Generic.4!c", "update": "20211209"}, "Elastic": {"detected": false, "version": "4.0.31", "result": null, "update": "20211118"}, "MicroWorld-eScan": {"detected": true, "version": "14.0.409.0", "result": "Trojan.Rasftuby.Gen.2", "update": "20211209"}, "FireEye": {"detected": true, "version": "32.44.1.0", "result": "Trojan.Rasftuby.Gen.2", "update": "20211209"}, "CAT-QuickHeal": {"detected": false, "version": "14.00", "result": null, "update": "20211209"}, "McAfee": {"detected": true, "version": "6.0.6.653", "result": "Artemis!0D57927D8DAA", "update": "20211209"}, "Cylance": {"detected": true, "version": "2.3.1.101", "result": "Unsafe", "update": "20211209"}, "Zillya": {"detected": false, "version": "2.0.0.4519", "result": null, "update": "20211209"}, "Sangfor": {"detected": true, "version": "2.9.0.0", "result": "Backdoor.Win32.Androm.8", "update": "20211207"}, "K7AntiVirus": {"detected": true, "version": "11.232.39727", "result": "Trojan ( 700000111 )", "update": "20211209"}, "Alibaba": {"detected": true, "version": "0.3.0.5", "result": "Worm:Win32/Gamarue.a9c8437f", "update": "20190527"}, "K7GW": {"detected": true, "version": "11.232.39695", "result": "Trojan ( 700000111 )", "update": "20211209"}, "Cybereason": {"detected": true, "version": "1.2.449", "result": "malicious.d8daa6", "update": "20210330"}, "Baidu": {"detected": true, "version": "1.0.0.2", "result": "Archive.Bomb", "update": "20190318"}, "Cyren": {"detected": true, "version": "6.5.1.2", "result": "W32/Trojan.MQTJ-5716", "u.......

[Wazuh User 0361]

Anyone can help me...

Until now, integration to virus total still fail

[Abdullah Al Rafi Fahim]

Hello Wazuh User,

I have tried to replicate the issue with a VirusTotal Public API in my local lab with the same <integration> configuration in ossec.conf file. In my case, the integration is working fine without any error and triggering VirusTotal scan and alerts for syscheck alerts.

Therefore, I can assure you that this is not an issue with the VirusTotal integration script or configuration. Rather the ERROR message indicates to an connection error that fails to connect host='www.virustotal.com', port=443. Therefore, can you check if you have any network restriction that is not allowing the script to connect to that specific URL using port 443? Do you use any other service other than wazuh manager in the same server? 

I am sharing some similar discussions regarding this "Failed to establish a new connection: [Errno -3] Temporary failure in name resolution" issue for your reference:

https://stackoverflow.com/questions/69323728/max-retries-exceeded-with-url-caused-by-newconnectionerror-failed-to-establish-a

https://community.letsencrypt.org/t/failed-to-establish-a-new-connection-errno-3-temporary-failure-in-name-resolution/170617/7

[Wazuh User 0361]

Hello Abdullah, thankyou for your help..

Fyi, my server is only for wazuh

I will check my network environment again..

Thank you

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3b4315a6-0cf6-4c61-8b3a-33ed19c53bccn%40googlegroups.com.