search

wazuh / wazuh-cloudformation

Wazuh - Amazon AWS Cloudformation
https://wazuh.com
39 stars 22 forks source link

Update virustotal configuration to accept Windows paths #26

Closed jm404 closed 4 years ago

jm404 commented 4 years ago

The rule100200 created for Virustotal:

<group name="syscheck,">
  <rule id="100200" level="7">
    <if_sid>550,553,554</if_sid>
    <field name="file">^/tmp</field>
    <description>File modified or created in /tmp directory.</description>
  </rule>
</group>

Only matches strings with /tmp in it. It causes the Windows agents to fail when trying to match such rule as there is no such folder in Windows.

It's required to update that folder in order to grant compatibility with Windows paths and also give a more descriptive name like virus for example.

Tasks:

Best regards

Jose

jm404 commented 4 years ago

Update Virustotal rule

The preconfigured Virustotal rule has been updated to:

  <rule id="100200" level="7">
    <if_sid>550,553,554</if_sid>
    <field name="file">\S*/virus|\S*\\virus</field>
    <description>File modified or created in /virus directory.</description>
  </rule>

Now it accepts WIndows and Linux paths without troubles