forked from OpenSecureCo/Wazuh
-
Notifications
You must be signed in to change notification settings - Fork 0
/
yara integration
122 lines (93 loc) · 2.79 KB
/
yara integration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
###########################Wazuh Manager############
nano /var/ossec/etc/ossec.conf
<command>
<name>yara</name>
<executable>yara.sh</executable>
<expect>filename</expect>
<extra_args>-yara_path /path/to/yara -yara_rules /path/to/rules</extra_args>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<command>yara</command>
<location>local</location>
<rules_id>550,554</rules_id>
</active-response>
nano /var/ossec/etc/decoders/yara_decoders.xml
<decoder name="yara">
<prematch>wazuh-yara: </prematch>
</decoder>
<decoder name="yara">
<parent>yara</parent>
<regex offset="after_parent">info: (\S+) (\.+)</regex>
<order>yara_rule, file_path</order>
</decoder>
<decoder name="yara">
<parent>yara</parent>
<regex offset="after_parent">error: (\.+)</regex>
<order>error_message</order>
</decoder>
nano /var/ossec/etc/rules/yara_rules.xml
<group name="yara,">
<rule id="100100" level="0">
<decoded_as>yara</decoded_as>
<description>YARA rules grouped.</description>
</rule>
<rule id="100101" level="5">
<if_sid>100100</if_sid>
<field name="error_message">\.+</field>
<description>YARA error detected.</description>
</rule>
<rule id="100102" level="10">
<if_sid>100100</if_sid>
<field name="yara_rule">\.+</field>
<description>YARA $(yara_rule) detected.</description>
</rule>
</group>
##################Wazuh Agent####################
nano /var/ossec/active-response/bin/yara.sh
#!/bin/bash
#------------------------- Gather parameters -------------------------#
# Static active response parameters
FILENAME=$8
LOCAL=`dirname $0`
# Extra arguments
YARA_PATH=
YARA_RULES=
while [ "$1" != "" ]; do
case $1 in
-yara_path) shift
YARA_PATH=$1
;;
-yara_rules) shift
YARA_RULES=$1
;;
* ) shift
esac
shift
done
# Move to the active response folder
cd $LOCAL
cd ../
# Set LOG_FILE path
PWD=`pwd`
LOG_FILE="${PWD}/../logs/active-responses.log"
#----------------------- Analyze parameters -----------------------#
if [[ ! $YARA_PATH ]] || [[ ! $YARA_RULES ]]
then
echo "wazuh-yara: error: Yara path and rules parameters are mandatory." >> ${LOG_FILE}
exit
fi
#------------------------- Main workflow --------------------------#
# Execute YARA scan on the specified filename
yara_output=$(${YARA_PATH}/yara -w -r $YARA_RULES $FILENAME)
if [[ $yara_output != "" ]]
then
# Iterate every detected rule and append it to the LOG_FILE
while read -r line; do
echo "wazuh-yara: info: $line" >> ${LOG_FILE}
done <<< "$yara_output"
fi
exit 1;
chown root:ossec yara.sh
chmod 750 yara.sh
systemctl restart wazuh-agent