forked from OpenSecureCo/Wazuh
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create remove positive virustotal threats
- Loading branch information
1 parent
c8a53c9
commit 79035ab
Showing
1 changed file
with
174 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,174 @@ | ||
Manager side | ||
Append the following decoder to /var/ossec/etc/decoders/local_decoder.xml | ||
|
||
|
||
<decoder name="ar_log_fields"> | ||
<parent>ar_log</parent> | ||
<regex offset="after_parent">^(\S+) Removed positive threat located in (\S+)</regex> | ||
<order>script_name, path</order> | ||
</decoder> | ||
|
||
|
||
Append the following rule to /var/ossec/etc/rules/local_rules.xml | ||
<group name="syscheck,virustotal,"> | ||
<rule id="100092" level="12"> | ||
<if_sid>607</if_sid> | ||
<match>Removed positive</match> | ||
<description>$(script_name) Removed positive threat located in $(path)</description> | ||
</rule> | ||
</group> | ||
|
||
|
||
Place this custom-remove-threat script in /var/ossec/integrations | ||
|
||
|
||
#!/usr/bin/env python | ||
# Copyright (C) 2017 Wazuh Inc. | ||
# October 29, 2019. | ||
# | ||
# This program is a free software; you can redistribute it | ||
# and/or modify it under the terms of the GNU General Public | ||
# License (version 2) as published by the FSF - Free Software | ||
# Foundation. | ||
# Wazuh, Inc <support@wazuh.com> | ||
import json | ||
import sys | ||
import time | ||
import os | ||
from socket import socket, AF_UNIX, SOCK_DGRAM | ||
# ossec.conf configuration: | ||
# <command> | ||
# <name>remove-threat</name> | ||
# <executable>remove-threat.sh</executable> | ||
# <expect>filename</expect> | ||
# <timeout_allowed>no</timeout_allowed> | ||
# </command> | ||
# <active-response> | ||
# <disabled>no</disabled> | ||
# <command>remove-threat</command> | ||
# <location>local</location> | ||
# </active-response> | ||
# <integration> | ||
# <name>custom-remove-threat</name> | ||
# <rule_id>87105</rule_id> | ||
# <alert_format>json</alert_format> | ||
# </integration> | ||
# Global vars | ||
debug_enabled = True | ||
pwd = os.path.dirname(os.path.dirname(os.path.realpath(__file__))) | ||
json_alert = {} | ||
now = time.strftime("%a %b %d %H:%M:%S %Z %Y") | ||
# Set paths | ||
log_file = '{0}/logs/integrations.log'.format(pwd) | ||
socket_addr = '{0}/queue/alerts/ar'.format(pwd) | ||
def main(args): | ||
debug("# Starting") | ||
# Read args | ||
alert_file_location = args[1] | ||
debug("# File location") | ||
debug(alert_file_location) | ||
# Load alert. Parse JSON object. | ||
with open(alert_file_location) as alert_file: | ||
json_alert = json.load(alert_file) | ||
debug("# Processing alert") | ||
debug(json_alert) | ||
# Send event to AR socket | ||
msg = "(msg_to_agent) [] NNS {0} remove-threat0 - {1}".format(json_alert["agent"]["id"], json_alert["data"]["virustotal"]["source"]["file"]) | ||
send_event(msg) | ||
def debug(msg): | ||
if debug_enabled: | ||
msg = "{0}: {1}\n".format(now, msg) | ||
print(msg) | ||
f = open(log_file,"a") | ||
f.write(msg) | ||
f.close() | ||
def send_event(msg): | ||
sock = socket(AF_UNIX, SOCK_DGRAM) | ||
sock.connect(socket_addr) | ||
sock.send(msg.encode()) | ||
sock.close() | ||
if __name__ == "__main__": | ||
try: | ||
# Read arguments | ||
bad_arguments = False | ||
if len(sys.argv) >= 2: | ||
alertfile=sys.argv[1] | ||
msg = '{0} {1} {2} {3}'.format(now, sys.argv[1], sys.argv[2], sys.argv[3]) | ||
else: | ||
msg = '{0} Wrong arguments'.format(now) | ||
bad_arguments = True | ||
# Logging the call | ||
f = open(log_file, 'a') | ||
f.write(msg +'\n') | ||
f.close() | ||
if bad_arguments: | ||
debug("# Exiting: Bad arguments.") | ||
sys.exit(0) | ||
# Main function | ||
main(sys.argv) | ||
except Exception as e: | ||
debug('Error:' + str(e)) | ||
raise | ||
|
||
|
||
Set permissions to the custom-remove-threat | ||
change ownership to root:ossec /var/ossec/integrations/custom-remove-threat | ||
chmod +x /var/ossec/integrations/custom-remove-threat | ||
|
||
|
||
Manager ossec.conf | ||
|
||
<command> | ||
<name>remove-threat</name> | ||
<executable>remove-threat.sh</executable> | ||
<expect>filename</expect> | ||
<timeout_allowed>no</timeout_allowed> | ||
</command> | ||
|
||
<active-response> | ||
<disabled>no</disabled> | ||
<command>remove-threat</command> | ||
<location>local</location> | ||
</active-response> | ||
|
||
<integration> | ||
<name>custom-remove-threat</name> | ||
<rule_id>87105</rule_id> | ||
<alert_format>json</alert_format> | ||
</integration> | ||
|
||
Systemctl restart wazuh-manager | ||
|
||
Agents side | ||
Place this remove-threat.sh script in /var/ossec/active-response/bin/ | ||
|
||
#!/bin/bash | ||
|
||
# Checking user arguments | ||
if [ "x$1" == "xdelete" ]; then | ||
exit 0; | ||
fi | ||
|
||
LOCAL=`dirname $0`; | ||
cd $LOCAL | ||
cd ../ | ||
|
||
PWD=`pwd` | ||
|
||
# Removing file | ||
rm -f $3 | ||
if [ $? -eq 0 ]; then | ||
echo "`date` $0 Removed positive threat located in $3" >> ${PWD}/../logs/active-responses.log | ||
else | ||
echo "`date` $0 Error removing positive threat located in $3" >> ${PWD}/../logs/active-responses.log | ||
fi | ||
|
||
exit 0; | ||
|
||
|
||
Set permissions to the remove-threat.sh | ||
change ownership to root:ossec /var/ossec/active-response/bin/remove-threat.sh | ||
chmod +x /var/ossec/active-response/bin/remove-threat.sh | ||
|
||
|
||
Systemctl restart wazuh-agent |