YARA INTEGRATION IN WAZUH
1,508 views
Skip to first unread message
Juan Romero
Aug 4, 2020, 4:59:22 AM8/4/20
to Wazuh mailing list
Hi there:
Following this blog entry:
to integrate Yara scan/detection with Wazuh but having a hard time in getting it working.
Just wondering if someone could give me some rope here.
The command to be used for AR on the manager looks like this (as posted in the article):
<command>
<name>yara</name>
<executable>yara.sh</executable>
<expect>filename</expect>
<extra_args>-yara_path /path/to/yara -yara_rules /path/to/rules</extra_args>
<timeout_allowed>no</timeout_allowed>
</command>
So, it'd indicate that you need to pass along a folder ("/path/to/rules"). I could be wrong but I believe that Yara will only accept a .yar file and not a folder.
As per the "expect" tag, the alert will generate a "file_path", not "filename", so not sure if that'd have to be changed as well.
In any case, and after changing some of these settings back and forth, and although alerts 550 and 554 (syschek for file created and file changed) are being generated on real time from the agent I'm testing on, the AR doesn't trigger.
Not sure if someone had a chance of testing this and could give some advise.
Thanks in advance
Juan.
Juan Cabrera
Aug 4, 2020, 7:20:19 AM8/4/20
to Wazuh mailing list
Hello Juan,
Indeed, Yara only support files and not directories. Check that the yara.sh script has the correct permissions. Make sure that the yara.sh file ownership is root:ossec and the permissions are 750.
Best regards,
Juan Cabrera
Juan Romero
Aug 4, 2020, 8:08:12 AM8/4/20
to Wazuh mailing list
Hi Juan:
Thanks for your answer, appreciated.
Yes, ownership and permissions on the script are assigned as you suggest. Also, as I mentioned earlier, I don't think the AR process even starts or gets triggered on the manager. The active response logs on the agent don't show anything.
I'll keep testing this and see if I can find what the issue is.
Cheers
Juan,
Juan Cabrera
Aug 5, 2020, 3:15:49 AM8/5/20
to Wazuh mailing list
Hi Juan,
You can check if the `active response` module is working properly. To do this, append a real rule path to -yara_rules, for example: `/var/ossec/active-response/bin/yara-rules/exploit_kits/EK_Sakura.yar`.
Then, create a file that matches with the said rule, within a realtime FIM monitored folder. A new alert should be generated.
Best regards,
Juan
You can check if the `active response` module is working properly. To do this, append a real rule path to -yara_rules, for example: `/var/ossec/active-response/bin/yara-rules/exploit_kits/EK_Sakura.yar`.
Then, create a file that matches with the said rule, within a realtime FIM monitored folder. A new alert should be generated.
Best regards,
Juan
Juan Romero
Aug 5, 2020, 4:54:15 AM8/5/20
to Wazuh mailing list
Hi mate:
Thx for getting back.
I finally got this working but with a couple of tweaks:
- Had to get rid of the extra args in the command section. This is not a big deal in my case because the path for the yara binary and rule file to use won't change.
- This also means that I had to slightly change the yara.sh script on the agent, removing all references to these 2 extra args.
There's a caveat though, but not directly related to AR, and that is that if the file name has spaces the yara.sh script doesn't execute. The manager passes along the file name, that's not a problem, but the spaces in the file name are treated as if they were different params passed on to the script.
Configs I used to get it working:
Here's the command section on the manager:
<command>
<name>yara</name>
<executable>yara.sh</executable>
<expect>filename</expect>
<timeout_allowed>no</timeout_allowed>
</command>
And here's the yara.sh:
#!/bin/bash
# Wazuh - YARA active response
# Copyright (C) 2015-2020, Wazuh Inc.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
#------------------------- Gather parameters -------------------------#
# Static active response parameters
FILENAME=$8
LOCAL=`dirname $0`
# Extra arguments
# Move to the active response folder
cd $LOCAL
cd ../
# Set LOG_FILE path
PWD=`pwd`
#LOG_FILE="${PWD}/../logs/active-responses.log"
LOG_FILE="/var/ossec/logs/active-responses.log"
#----------------------- Analyze parameters -----------------------#
#if [[ ! $YARA_PATH ]] || [[ ! $YARA_RULES ]]
#then
# echo "wazuh-yara: error: Yara path and rules parameters are mandatory." >> ${LOG_FILE}
# exit
#fi
#------------------------- Main workflow --------------------------#
# Execute YARA scan on the specified filename
yara_output=$(/usr/bin/yara -C -w -r /usr/share/yara/valhalla-rules-compiled.yar $FILENAME)
#yara_output=$(${YARA_PATH}/yara -w -r $YARA_RULES $FILENAME)
if [[ $yara_output != "" ]]
then
# Iterate every detected rule and append it to the LOG_FILE
while read -r line; do
echo "wazuh-yara: info: $line" >> ${LOG_FILE}
done <<< "$yara_output"
fi
exit 1;
Thx for your help :-)
Regards
Juan.
Juan Cabrera
Aug 5, 2020, 5:56:54 AM8/5/20
to Wazuh mailing list
Hi !
Happy to know that your problem has been solved. Thanks for your feedback :)
Regards
Juan
Happy to know that your problem has been solved. Thanks for your feedback :)
Regards
Juan
Reply all
Reply to author
Forward
0 new messages