Objective
In this POC we will combine many Wazuh capabilities to detect malware, launch the active response and send alerts to slack channel. The capabilities used are:
· FIM
· Using VirusTotal API
· Active response
· Slack integration
1) Configure FIM
Enable Real-time Monitoring for /tmp:
Agent Configuration
Edit /var/ossec/etc/ossec.conf
Locate the
<directories realtime="yes">/tmp</directories>
This enables real-time monitoring for changes in the /tmp directory.
Example:-
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>10</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin,/tmp</directories>
<directories>/bin,/sbin,/boot</directories>
<directories realtime="yes">/tmp</directories>
2) Wazuh Server Configuration
2.1 Add Rules for /tmp Changes:
a) Go to the Wazuh server and edit /var/ossec/etc/rules/local_rules.xml
b) Add the following rules within a <group> tag:
<group name="syscheck,pci_dss_11.5,nist_800_53_SI.7,">
<!-- Rules for Linux systems -->
<rule id="100200" level="7">
<if_sid>550</if_sid>
<field name="file">/tmp</field>
<description>File modified in /tmp directory.</description>
</rule>
<rule id="100201" level="7">
<if_sid>554</if_sid>
<field name="file">/tmp</field>
<description>File added to /tmp directory.</description>
</rule>
</group>
These rules :point_up: trigger alerts for file modifications and additions in the /tmp directory.
2.2 Enable VirusTotal Integration:
a) Edit /var/ossec/etc/ossec.conf on the Wazuh server.
b) Add the following configuration within
<ossec_config>
<integration>
<name>virustotal</name>
<api_key>YOUR_VIRUS_TOTAL_API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
<rule_id>100200,100201</rule_id>
<alert_format>json</alert_format>
</integration>
</ossec_config>
Replace
<YOUR_VIRUS_TOTAL_API_KEY>with your VirusTotal API key. This allows to trigger a VirusTotal query whenever any of the rules 100200 and 100201 are triggered:
This configuration activates VirusTotal integration for the specified rules, triggering a VirusTotal scan whenever file changes are detected in /tmp.
2.3 Obtaining VirusTotal API Key:
VirusTotal offers both free Public API with some limitations such as the limited number of requests per day and the rate of requests per minute and Private API for the premium accounts.
1) Create a free account on VirusTotal (https://www.virustotal.com/).
2) Navigate to the user menu (top right corner) and select "API Key".
3) Copy your API key for use in the configuration.
3. Testing VirusTotal Integration:
On the agent side, download an EICAR test file (harmless) to
/tmp:
sudo curl -Lo /tmp/eicar.com https://secure.eicar.org/eicar.com
You should observe alerts triggered in the Wazuh console:
- 100201: File added to /tmp directory
- 87105: VirusTotal Alert - /tmp/eicar.com - Detected by multiple engines
4. Active Response for Malware Removal:
Deleting malicious file from agents
4.1 Create Active Response Script:
a) On the Wazuh agent, create a file named remove-threat.sh at /var/ossec/active-response/bin/
Wazuh contains many default scripts for the active response like disabling account and blocking IP. In our case we should create a custom active response script to delete malicious files dropped in the /tmp directory. We will use the suggested script by wazuh POC guide.
Script data:
#!/bin/bash
LOCAL=`dirname $0`;
cd $LOCAL
cd ../
PWD=`pwd`
read INPUT_JSON
FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.data.virustotal.source.file)
COMMAND=$(echo $INPUT_JSON | jq -r .command)
LOG_FILE="${PWD}/../logs/active-responses.log"
#------------------------ Analyze command -------------------------#
if [ ${COMMAND} = "add" ]
then
# Send control message to execd
printf '{"version":1,"origin":{"name":"remove-threat","module":"active-response"},"command":"check_keys", "parameters":{"keys":[]}}\n'
read RESPONSE
COMMAND2=$(echo $RESPONSE | jq -r .command)
if [ ${COMMAND2} != "continue" ]
then
echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Remove threat active response aborted" >> ${LOG_FILE}
exit 0;
fi
fi
# Removing file
rm -f $FILENAME
if [ $? -eq 0 ]; then
echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Successfully removed threat" >> ${LOG_FILE}
else
echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Error removing threat" >> ${LOG_FILE}
fi
exit 0;
b) Set permissions and ownership:
vim /var/ossec/active-response/bin/remove-threat.sh
sudo chmod 750 /var/ossec/active-response/bin/remove-threat.sh
sudo chown root:wazuh /var/ossec/active-response/bin/remove-threat.sh
sudo systemctl restart wazuh-agent
# This script uses the jq utility to parse json files. So we should install this utility with
sudo apt update
sudo apt -y install jq
5. Go to the Wazuh server
Append the following blocks in
/var/ossec/etc/ossec.conffile. This enables Active Response and triggers theremove-threat.shscript when VirusTotal flags a file as malicious
<ossec_config>
<command>
<name>remove-threat</name>
<executable>remove-threat.sh</executable>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>remove-threat</command>
<location>local</location>
<rules_id>87105</rules_id>
</active-response>
</ossec_config>
For more visibility on the progress of the active response actions (threat successfully removed or error removing threat) we can add the following rules (rule id: 100092, 100093) to the Wazuh server “/var/ossec/etc/rules/local_rules.xml” file to alert about the active response results:
<group name="virustotal,">
<rule id="100092" level="12">
<if_sid>657</if_sid>
<match>Successfully removed threat</match>
<description>$(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file)</description>
</rule>
<rule id="100093" level="12">
<if_sid>657</if_sid>
<match>Error removing threat</match>
<description>Error removing threat located at $(parameters.alert.data.virustotal.source.file)</description>
</rule>
</group>
6. Testing
Now, restart the Wazuh manager to apply the configuration changes. Then, download the malicious EICAR test file to the agent:
sudo systemctl restart wazuh-manager
Go to agent and download
sudo curl -Lo /tmp/eicar.com https://secure.eicar.org/eicar.com
We can see the following alerts triggered in console:
· 100201 : File added to /tmp directory
· 87105 : VirusTotal: Alert — /tmp/eicar.com — 66 engines detected this file
· 553 : File deleted
· 100092 : active-response/bin/remove-threat.sh removed threat located at /tmp/eicar.com
If we examine the directory /tmp we will find that the file is already removed in wazuh agent
7. Slack integration
a. Created a slack workspace and new channel if not already exist. * workspace name: Wazuh Integration * channel name: Wazuh Integration
[Create a Slack account](https://slack.com/get-started#/createnew)
b. Create a Slack App: Slack App, choose the option “From scratch” and fill the fields with the App Name : Test Wazuh Integration, and choose the workspace : Wazuh Integration, then create App.
c. In the Test Wazuh Integration App -> Incoming Webhooks -> Activate Incoming Webhooks (on) -> Add New Webhook to Workspace
d. Go to wazuh server and edit the /var/ossec/etc/ossec.conf file.
add below
<ossec_config>
<integration>
<name>slack</name>
<hook_url><webhook_url></hook_url>
<rule_id>87105,100092</rule_id>
<alert_format>json</alert_format>
<options>{"pretext": "Malware Spotted"}</options> <!-- Replace with your custom JSON object -->
</integration>
</ossec_config>
Replace the
webhook_urlwith the one you created.
Restart the wazuh server.
systemctl restart wazuh-manager
8. Slack integration testing
Go to the agent and download
sudo curl -Lo /tmp/eicar.com https://secure.eicar.org/eicar.com
Sending test alerts
