Escape the agent's ip in VirusTotal integration

[QU3B1M]

Target version	Related issue	Related PR
4.4.0	#15286	15300

Description

This issue is to test the VirusTotal alerts that includes agent's IPv6, it should escape the special character :, every VirusTotal alert should come with the IPv6 correctly parsed

Link to a guide to reproduce a VirusTotal event.

Proposed checks

• [x] Alerts from VirusTotal are parsed correctly

  Test cases

  -

  Raise an alert with VirusTotal integration on IPv6

  1. Install `wazuh-manager` 2. Install `wazuh-agent` 3. Configure VirusTotal following [this guide](https://github.com/wazuh/wazuh/wiki/Proof-of-concept-guide#detecting-and-removing-malware---virustotal-integration) 4. Add the `IPv6` configuration ```xml secure 1514 tcp yes 131072 no 1515 yes ``` 5. Generate the VirusTotal alerts ([guide](https://github.com/wazuh/wazuh/wiki/Proof-of-concept-guide#blocking-a-malicious-actor---ip-reputation)) 6. Check the alert is correctly formatted `expected` ```JSON {"timestamp":"2022-11-03T17:18:49.261-0300","rule":{"level":12,"description":"VirusTotal: Alert - c:\\users\\workspace\\eicar.com - 63 engines detected this file","id":"87105","mitre":{"id":["T1203"],"tactic":["Execution"],"technique":["Exploitation for Client Execution"]},"firedtimes":1,"mail":true,"groups":["virustotal"],"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"DESKTOP","ip":"2803:0000:9882:B7A5:2D8B:FB2E:0000:0050"},"manager":{"name":"VBox"},"id":"1667506729.2228767","decoder":{"name":"json"},"data":{"virustotal":{"found":"1","malicious":"1","source":{"alert_id":"1667506726.2227426","file":"c:\\users\\asus\\workspace\\eicar.com","md5":"44d88612fea8a8f36de82e1278abb02f","sha1":"3395856ce81f2b7382dee72602f798b642f14140"},"sha1":"3395856ce81f2b7382dee72602f798b642f14140","scan_date":"2022-11-03 20:18:01","positives":"63","total":"68","permalink":"https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection/f-275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f-1667506681"},"integration":"virustotal"},"location":"virustotal"} ```

  • Raise an alert with VirusTotal integration on IPv4

    1. Install `wazuh-manager` 2. Install `wazuh-agent` 3. Configure VirusTotal and generate the alerts following [this guide](https://github.com/wazuh/wazuh/wiki/Proof-of-concept-guide#detecting-and-removing-malware---virustotal-integration) 4. Check the alert is correctly formatted `expected` ```JSON {"timestamp":"2022-11-03T17:18:49.261-0300","rule":{"level":12,"description":"VirusTotal: Alert - c:\\users\\workspace\\eicar.com - 63 engines detected this file","id":"87105","mitre":{"id":["T1203"],"tactic":["Execution"],"technique":["Exploitation for Client Execution"]},"firedtimes":1,"mail":true,"groups":["virustotal"],"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"DESKTOP","ip":"192.168.56.10"},"manager":{"name":"VBox"},"id":"1667506729.2228767","decoder":{"name":"json"},"data":{"virustotal":{"found":"1","malicious":"1","source":{"alert_id":"1667506726.2227426","file":"c:\\users\\asus\\workspace\\eicar.com","md5":"44d88612fea8a8f36de82e1278abb02f","sha1":"3395856ce81f2b7382dee72602f798b642f14140"},"sha1":"3395856ce81f2b7382dee72602f798b642f14140","scan_date":"2022-11-03 20:18:01","positives":"63","total":"68","permalink":"https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection/f-275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f-1667506681"},"integration":"virustotal"},"location":"virustotal"}

  Required installation methods

• [x] Fresh install
• [x] Upgrade

Configuration and considerations

[QU3B1M]

Review data

Tester	PR commit
@QU3B1M	9faa01f

Testing environment

OS	OS version	Deployment	Image/AMI	Notes
Ubuntu	20.04	LOCAL \| Vagrant	ubuntu/focal64

Tested packages

wazuh-manager	wazuh-agent
fixed-deb	fixed-deb
unfixed-deb	unfixed-deb

Status

• [x] In progress @QU3B1M
• [x] Pending Review
• [x] QA team leader approved @damarisg
• [x] QA manager approved @jmv74211
• [x] Development team leader approved @TomasTurina

Conclusion :green_circle:

The testing was successful :green_circle:.

[QU3B1M]

Testing results

Unfixed

Error repoduction

1. Install `wazuh-manager` 2. Install `wazuh-agent` 3. Configure VirusTotal following [this guide](https://github.com/wazuh/wazuh/wiki/Proof-of-concept-guide#detecting-and-removing-malware---virustotal-integration) 4. Add the `IPv6` configuration ```xml secure 1514 tcp yes 131072 no 1515 yes ``` 5. Generate the VirusTotal alerts ([guide](https://github.com/wazuh/wazuh/wiki/Proof-of-concept-guide#blocking-a-malicious-actor---ip-reputation)) 6. Check the debug format ```log 2022/11/08 18:42:13 wazuh-integratord[161538] integrator.c:403 at OS_IntegratorD(): DEBUG: integratord: Tue Nov 08 18:42:12 UTC 2022: 1:[001] (agent) FE80:0000:0000:0000:0A00:27FF:FEA2:6BFD->virustotal:{"virustotal": {"found": 1, "malicious": 1, "source": {"alert_id": "1667932930.1099209", "file": "/root/eicar.com", "md5": "44d88612fea8a8f36de82e1278abb02f", "sha1": "3395856ce81f2b7382dee72602f798b642f14140"}, "sha1": "3395856ce81f2b7382dee72602f798b642f14140", "scan_date": "2022-11-08 18:25:33", "positives": 64, "total": 68, "permalink": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection/f-275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f-1667931933"}, "integration": "virustotal"} ```

Upgrade

Upgrade process :green_circle:

- Upgrade `wazuh-manager ` ```bash dpkg -i wazuh-manager_4.4.0-0.commit9faa01f_amd64.deb ``` ```log dpkg: warning: downgrading wazuh-manager from 4.4.0-4.4.0.base.test to 4.4.0-0.commit9faa01f (Reading database ... 60546 files and directories currently installed.) Preparing to unpack wazuh-manager_4.4.0-0.commit9faa01f_amd64.deb ... Unpacking wazuh-manager (4.4.0-0.commit9faa01f) over (4.4.0-4.4.0.base.test) ... Setting up wazuh-manager (4.4.0-0.commit9faa01f) ... Processing triggers for systemd (245.4-4ubuntu3.17) ... ``` - Upgrade `wazuh-agent` ```bash dpkg -i wazuh-agent_4.4.0-0.commit9faa01f_amd64.deb ``` ```log dpkg: warning: downgrading wazuh-agent from 4.4.0-4.4.0.base.test to 4.4.0-0.commit9faa01f (Reading database ... 41412 files and directories currently installed.) Preparing to unpack .../wazuh-agent_4.4.0-0.commit9faa01f_amd64.deb ... Unpacking wazuh-agent (4.4.0-0.commit9faa01f) over (4.4.0-4.4.0.base.test) ... Setting up wazuh-agent (4.4.0-0.commit9faa01f) ... Processing triggers for systemd (245.4-4ubuntu3.17) ... ```

Alerts from VirusTotal are parsed correctly :green_circle:

-

Raise an alert with VirusTotal integration on IPv6 :green_circle:

1. Configure VirusTotal following [this guide](https://github.com/wazuh/wazuh/wiki/Proof-of-concept-guide#detecting-and-removing-malware---virustotal-integration) 2. Add the `IPv6` configuration ```xml secure 1514 tcp yes 131072 no 1515 yes ``` 3. Generate the VirusTotal alerts ([guide](https://github.com/wazuh/wazuh/wiki/Proof-of-concept-guide#blocking-a-malicious-actor---ip-reputation)) 4. Check the alert and the debug log formats are correct `debug log` ```log 2022/11/08 18:52:49 wazuh-integratord[200076] integrator.c:412 at OS_IntegratorD(): DEBUG: integratord: Tue Nov 08 18:52:48 UTC 2022: 1:[001] (agent) FE80|:0000|:0000|:0000|:0A00|:27FF|:FEA2|:6BFD->virustotal:{"virustotal": {"found": 1, "malicious": 1, "source": {"alert_id": "1667933567.1104048", "file": "/root/eicar.com", "md5": "44d88612fea8a8f36de82e1278abb02f", "sha1": "3395856ce81f2b7382dee72602f798b642f14140"}, "sha1": "3395856ce81f2b7382dee72602f798b642f14140", "scan_date": "2022-11-08 18:46:08", "positives": 63, "total": 68, "permalink": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection/f-275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f-1667933168"}, "integration": "virustotal"} ``` `alert` ```JSON { "timestamp": "2022-11-08T18:52:49.618+0000", "rule": { "level": 12, "description": "VirusTotal: Alert - /root/eicar.com - 63 engines detected this file", "id": "87105", "mitre": { "id": ["T1203"], "tactic": ["Execution"], "technique": ["Exploitation for Client Execution"] }, "firedtimes": 1, "mail": true, "groups": ["virustotal"], "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"] }, "agent": { "id": "001", "name": "agent", "ip": "FE80:0000:0000:0000:0A00:27FF:FEA2:6BFD" }, "manager": { "name": "vagrant" }, "id": "1667933569.1104669", "decoder": { "name": "json" }, "data": { "virustotal": { "found": "1", "malicious": "1", "source": { "alert_id": "1667933567.1104048", "file": "/root/eicar.com", "md5": "44d88612fea8a8f36de82e1278abb02f", "sha1": "3395856ce81f2b7382dee72602f798b642f14140" }, "sha1": "3395856ce81f2b7382dee72602f798b642f14140", "scan_date": "2022-11-08 18:46:08", "positives": "63", "total": "68", "permalink": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection/f-275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f-1667933168" }, "integration": "virustotal" }, "location": "virustotal" } ```

• Raise an alert with VirusTotal integration on IPv4 :green_circle:

  1. Configure VirusTotal and generate the alerts following [this guide](https://github.com/wazuh/wazuh/wiki/Proof-of-concept-guide#detecting-and-removing-malware---virustotal-integration) 2. Check the alert and the debug log formats are correct `debug log` ```log 2022/11/08 19:49:26 wazuh-integratord[1522] integrator.c:412 at OS_IntegratorD(): DEBUG: integratord: Tue Nov 08 19:49:25 UTC 2022: 1:[002] (agent-test) 10.0.2.15->virustotal:{"virustotal": {"found": 1, "malicious": 1, "source": {"alert_id": "1667936964.1633502", "file": "/root/eicar.com", "md5": "44d88612fea8a8f36de82e1278abb02f", "sha1": "3395856ce81f2b7382dee72602f798b642f14140"}, "sha1": "3395856ce81f2b7382dee72602f798b642f14140", "scan_date": "2022-11-08 19:46:33", "positives": 64, "total": 68, "permalink": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection/f-275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f-1667936793"}, "integration": "virustotal"} ``` `alert` ```JSON { "timestamp": "2022-11-08T19:49:26.429+0000", "rule": { "level": 12, "description": "VirusTotal: Alert - /root/eicar.com - 64 engines detected this file", "id": "87105", "mitre": { "id": ["T1203"], "tactic": ["Execution"], "technique": ["Exploitation for Client Execution"] }, "firedtimes": 2, "mail": true, "groups": ["virustotal"], "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"] }, "agent": { "id": "002", "name": "agent-test", "ip": "10.0.2.15" }, "manager": { "name": "vagrant" }, "id": "1667936966.1634032", "decoder": { "name": "json" }, "data": { "virustotal": { "found": "1", "malicious": "1", "source": { "alert_id": "1667936964.1633502", "file": "/root/eicar.com", "md5": "44d88612fea8a8f36de82e1278abb02f", "sha1": "3395856ce81f2b7382dee72602f798b642f14140" }, "sha1": "3395856ce81f2b7382dee72602f798b642f14140", "scan_date": "2022-11-08 19:46:33", "positives": "64", "total": "68", "permalink": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection/f-275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f-1667936793" }, "integration": "virustotal" }, "location": "virustotal" } ```

Fresh install

Alerts from VirusTotal are parsed correctly :green_circle:

-

Raise an alert with VirusTotal integration on IPv6 :green_circle:

1. Install `wazuh-manager` 2. Install `wazuh-agent` 3. Configure VirusTotal following [this guide](https://github.com/wazuh/wazuh/wiki/Proof-of-concept-guide#detecting-and-removing-malware---virustotal-integration) 4. Add the `IPv6` configuration ```xml secure 1514 tcp yes 131072 no 1515 yes ``` 5. Generate the VirusTotal alerts ([guide](https://github.com/wazuh/wazuh/wiki/Proof-of-concept-guide#blocking-a-malicious-actor---ip-reputation)) 6. Check the alert and the debug log formats are correct `debug log` ```log 2022/11/08 18:59:27 wazuh-integratord[200076] integrator.c:412 at OS_IntegratorD(): DEBUG: integratord: Tue Nov 08 18:59:26 UTC 2022: 1:[001] (agent) FE80|:0000|:0000|:0000|:0A00|:27FF|:FEA2|:6BFD->virustotal:{"virustotal": {"found": 1, "malicious": 1, "source": {"alert_id": "1667933965.1110330", "file": "/root/eicar.com", "md5": "44d88612fea8a8f36de82e1278abb02f", "sha1": "3395856ce81f2b7382dee72602f798b642f14140"}, "sha1": "3395856ce81f2b7382dee72602f798b642f14140", "scan_date": "2022-11-08 18:46:08", "positives": 63, "total": 68, "permalink": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection/f-275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f-1667933168"}, "integration": "virustotal"} ``` `alert` ```JSON { "timestamp": "2022-11-08T18:59:27.453+0000", "rule": { "level": 7, "description": "File deleted.", "id": "553", "mitre": { "id": ["T1070.004", "T1485"], "tactic": ["Defense Evasion", "Impact"], "technique": ["File Deletion", "Data Destruction"] }, "firedtimes": 2, "mail": false, "groups": ["ossec", "syscheck", "syscheck_entry_deleted", "syscheck_file"], "pci_dss": ["11.5"], "gpg13": ["4.11"], "gdpr": ["II_5.1.f"], "hipaa": ["164.312.c.1", "164.312.c.2"], "nist_800_53": ["SI.7"], "tsc": ["PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3"] }, "agent": { "id": "001", "name": "agent", "ip": "FE80:0000:0000:0000:0A00:27FF:FEA2:6BFD" }, "manager": { "name": "vagrant" }, "id": "1667933967.1112323", "full_log": "File '/root/eicar.com' deleted\nMode: realtime\n", "syscheck": { "path": "/root/eicar.com", "mode": "realtime", "size_after": "68", "perm_after": "rw-r--r--", "uid_after": "0", "gid_after": "0", "md5_after": "44d88612fea8a8f36de82e1278abb02f", "sha1_after": "3395856ce81f2b7382dee72602f798b642f14140", "sha256_after": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "uname_after": "root", "gname_after": "root", "mtime_after": "2022-11-08T18:59:25", "inode_after": 1179716, "event": "deleted" }, "decoder": { "name": "syscheck_deleted" }, "location": "syscheck" } ```

• Raise an alert with VirusTotal integration on IPv4 :green_circle:

  1. Install `wazuh-manager` 2. Install `wazuh-agent` 3. Configure VirusTotal and generate the alerts following [this guide](https://github.com/wazuh/wazuh/wiki/Proof-of-concept-guide#detecting-and-removing-malware---virustotal-integration) 4. Check the alert and the debug log formats are correct `debug log` ```log 2022/11/08 20:00:51 wazuh-integratord[43552] integrator.c:412 at OS_IntegratorD(): DEBUG: integratord: Tue Nov 08 20:00:50 UTC 2022: 1:[001] (agent-1) 10.0.2.15->virustotal:{"virustotal": {"found": 1, "malicious": 1, "source": {"alert_id": "1667937650.1092977", "file": "/root/eicar.com", "md5": "44d88612fea8a8f36de82e1278abb02f", "sha1": "3395856ce81f2b7382dee72602f798b642f14140"}, "sha1": "3395856ce81f2b7382dee72602f798b642f14140", "scan_date": "2022-11-08 19:49:10", "positives": 65, "total": 68, "permalink": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection/f-275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f-1667936950"}, "integration": "virustotal"} ``` `alert` ```JSON { "timestamp": "2022-11-08T20:00:51.638+0000", "rule": { "level": 12, "description": "VirusTotal: Alert - /root/eicar.com - 65 engines detected this file", "id": "87105", "mitre": { "id": ["T1203"], "tactic": ["Execution"], "technique": ["Exploitation for Client Execution"] }, "firedtimes": 1, "mail": true, "groups": ["virustotal"], "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"] }, "agent": { "id": "001", "name": "agent-1", "ip": "10.0.2.15" }, "manager": { "name": "vagrant" }, "id": "1667937651.1093504", "decoder": { "name": "json" }, "data": { "virustotal": { "found": "1", "malicious": "1", "source": { "alert_id": "1667937650.1092977", "file": "/root/eicar.com", "md5": "44d88612fea8a8f36de82e1278abb02f", "sha1": "3395856ce81f2b7382dee72602f798b642f14140" }, "sha1": "3395856ce81f2b7382dee72602f798b642f14140", "scan_date": "2022-11-08 19:49:10", "positives": "65", "total": "68", "permalink": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection/f-275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f-1667936950" }, "integration": "virustotal" }, "location": "virustotal" } ```

[damarisg]

QA review

• Type: Manual Testing
• Status: Approved 🟢
• Comments: Everything seems to be working as expected.

[jmv74211]

Closing conclusion 👍🏼

Everything seems to work properly.