CDB Lists
278 views
Skip to first unread message
Matthias Appelmans
Apr 29, 2024, 7:14:00 AM4/29/24
to Wazuh | Mailing List
I'm following this documentation: https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/cdb-lists-threat-intelligence.html#use-case-detecting-malware-using-file-hashes-in-a-cdb-list
I added the hashes to a lists, then I added the path in ossec.conf
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<list>etc/lists/malware-hashes</list>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<list>etc/lists/malware-hashes</list>
I restarted the manager, I got the .cdb file in /var/ossec/etc/lists
root@WAZUH-VM:/var/ossec/etc/lists# ls -la | grep "malware-hashes*"
-rw-r--r-- 1 wazuh wazuh 78 apr 29 12:48 malware-hashes
-rw-rw---- 1 wazuh wazuh 2170 apr 29 12:49 malware-hashes.cdb
-rw-r--r-- 1 wazuh wazuh 78 apr 29 12:48 malware-hashes
-rw-rw---- 1 wazuh wazuh 2170 apr 29 12:49 malware-hashes.cdb
Then I added this rule:
<group name="malware,">
<rule id="110002" level="13">
<!-- The if_sid tag references the built-in FIM rules -->
<if_sid>554, 550</if_sid>
<list field="md5" lookup="match_key">etc/lists/malware-hashes</list>
<description>File with known malware hash detected: $(file)</description>
<mitre>
<id>T1204.002</id>
</mitre>
</rule>
</group>Then I added this to my conf <!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<directories check_all="yes" realtime="yes">/home/matthias/Downloads</directories>
then I downloaded the malware files
But this not giving any result...
What am I doing wrong?Kind regardsMatthias
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<directories check_all="yes" realtime="yes">/home/matthias/Downloads</directories>
then I downloaded the malware files
sudo curl https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai --output /home/matthias/Downloads/mirai
sudo curl https://wazuh-demo.s3-us-west-1.amazonaws.com/xbash --output /home/matthias/Downloads/Xbash
But this not giving any result...
What am I doing wrong?Kind regardsMatthias
Juan Nicolás Asselle (Nico Asselle)
Apr 29, 2024, 7:56:20 AM4/29/24
to Wazuh | Mailing List
Hi Matthias,
I've checked that checksums and CDB list are OK, and then reproduce it successfully, so i guess that could be some of the following situations:
- FIM/Syscheck configuration placement: did you add this on the endpoint side? or you are just using the manager for this? remember that the malware files should be in the same host that has the FIM/Syscheck custom configuration.
- Did you restart both the manager and endpoint in the same order that the documentation suggests?
Looking forward to your comments.
Nico
Reply all
Reply to author
Forward
Message has been deleted
0 new messages