Open yjchew opened 2 months ago
Are you still having this issue? if not how did you fix it? i have the same issue i guess when rule 554 is triggered syscheck rules doesnt trigger which make the yara not trigger as well. been waiting for support to get back to me as well
Are you still having this issue? if not how did you fix it? i have the same issue i guess when rule 554 is triggered syscheck rules doesnt trigger which make the yara not trigger as well. been waiting for support to get back to me as well
Nope, it is still not working and i gave up on implementing it. Best of luck to u :)
Hi there, agent on windows is new for me, im facing the same issue. I can trigger 100303, 100304 but they didnt trigger the yara rule
The only log file that i find are gzipped
When i run yara64.exe
manually i get this result
& "C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe" -D -r "C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar" C:\Users\admin\Downloads\eicar.txt
math
MEAN_BYTES = 127.500000
pe
number_of_signatures = YR_UNDEFINED
signatures
pdb_path = YR_UNDEFINED
number_of_resources = YR_UNDEFINED
resources
resource_version
minor = YR_UNDEFINED
major = YR_UNDEFINED
resource_timestamp = YR_UNDEFINED
delay_import_details
import_details
export_details
export_timestamp = YR_UNDEFINED
dll_name = YR_UNDEFINED
number_of_exports = YR_UNDEFINED
number_of_delayed_imported_functions = YR_UNDEFINED
number_of_delayed_imports = YR_UNDEFINED
number_of_imported_functions = YR_UNDEFINED
number_of_imports = YR_UNDEFINED
IMPORT_ANY = -1
IMPORT_STANDARD = 1
IMPORT_DELAYED = 2
rich_signature
clear_data = YR_UNDEFINED
raw_data = YR_UNDEFINED
key = YR_UNDEFINED
length = YR_UNDEFINED
offset = YR_UNDEFINED
overlay
size = YR_UNDEFINED
offset = YR_UNDEFINED
sections
data_directories
loader_flags = YR_UNDEFINED
size_of_heap_commit = YR_UNDEFINED
size_of_heap_reserve = YR_UNDEFINED
size_of_stack_commit = YR_UNDEFINED
size_of_stack_reserve = YR_UNDEFINED
dll_characteristics = YR_UNDEFINED
subsystem = YR_UNDEFINED
checksum = YR_UNDEFINED
size_of_headers = YR_UNDEFINED
size_of_image = YR_UNDEFINED
win32_version_value = YR_UNDEFINED
subsystem_version
minor = YR_UNDEFINED
major = YR_UNDEFINED
image_version
minor = YR_UNDEFINED
major = YR_UNDEFINED
os_version
minor = YR_UNDEFINED
major = YR_UNDEFINED
linker_version
minor = YR_UNDEFINED
major = YR_UNDEFINED
file_alignment = YR_UNDEFINED
section_alignment = YR_UNDEFINED
base_of_data = YR_UNDEFINED
base_of_code = YR_UNDEFINED
size_of_uninitialized_data = YR_UNDEFINED
size_of_initialized_data = YR_UNDEFINED
size_of_code = YR_UNDEFINED
opthdr_magic = YR_UNDEFINED
version_info_list
version_info
number_of_version_infos = YR_UNDEFINED
number_of_rva_and_sizes = YR_UNDEFINED
image_base = YR_UNDEFINED
entry_point_raw = YR_UNDEFINED
entry_point = YR_UNDEFINED
characteristics = YR_UNDEFINED
size_of_optional_header = YR_UNDEFINED
number_of_symbols = YR_UNDEFINED
pointer_to_symbol_table = YR_UNDEFINED
timestamp = YR_UNDEFINED
number_of_sections = YR_UNDEFINED
machine = YR_UNDEFINED
is_pe = 0
IMAGE_DEBUG_TYPE_REPRO = 16
IMAGE_DEBUG_TYPE_MPX = 15
IMAGE_DEBUG_TYPE_ILTCG = 14
IMAGE_DEBUG_TYPE_POGO = 13
IMAGE_DEBUG_TYPE_VC_FEATURE = 12
IMAGE_DEBUG_TYPE_CLSID = 11
IMAGE_DEBUG_TYPE_RESERVED10 = 10
IMAGE_DEBUG_TYPE_BORLAND = 9
IMAGE_DEBUG_TYPE_OMAP_FROM_SRC = 8
IMAGE_DEBUG_TYPE_OMAP_TO_SRC = 7
IMAGE_DEBUG_TYPE_FIXUP = 6
IMAGE_DEBUG_TYPE_EXCEPTION = 5
IMAGE_DEBUG_TYPE_MISC = 4
IMAGE_DEBUG_TYPE_FPO = 3
IMAGE_DEBUG_TYPE_CODEVIEW = 2
IMAGE_DEBUG_TYPE_COFF = 1
IMAGE_DEBUG_TYPE_UNKNOWN = 0
RESOURCE_TYPE_MANIFEST = 24
RESOURCE_TYPE_HTML = 23
RESOURCE_TYPE_ANIICON = 22
RESOURCE_TYPE_ANICURSOR = 21
RESOURCE_TYPE_VXD = 20
RESOURCE_TYPE_PLUGPLAY = 19
RESOURCE_TYPE_DLGINCLUDE = 17
RESOURCE_TYPE_VERSION = 16
RESOURCE_TYPE_GROUP_ICON = 14
RESOURCE_TYPE_GROUP_CURSOR = 12
RESOURCE_TYPE_MESSAGETABLE = 11
RESOURCE_TYPE_RCDATA = 10
RESOURCE_TYPE_ACCELERATOR = 9
RESOURCE_TYPE_FONT = 8
RESOURCE_TYPE_FONTDIR = 7
RESOURCE_TYPE_STRING = 6
RESOURCE_TYPE_DIALOG = 5
RESOURCE_TYPE_MENU = 4
RESOURCE_TYPE_ICON = 3
RESOURCE_TYPE_BITMAP = 2
RESOURCE_TYPE_CURSOR = 1
SECTION_SCALE_INDEX = 1
SECTION_MEM_WRITE = 2147483648
SECTION_MEM_READ = 1073741824
SECTION_MEM_EXECUTE = 536870912
SECTION_MEM_SHARED = 268435456
SECTION_MEM_NOT_PAGED = 134217728
SECTION_MEM_NOT_CACHED = 67108864
SECTION_MEM_DISCARDABLE = 33554432
SECTION_LNK_NRELOC_OVFL = 16777216
SECTION_ALIGN_MASK = 15728640
SECTION_ALIGN_8192BYTES = 14680064
SECTION_ALIGN_4096BYTES = 13631488
SECTION_ALIGN_2048BYTES = 12582912
SECTION_ALIGN_1024BYTES = 11534336
SECTION_ALIGN_512BYTES = 10485760
SECTION_ALIGN_256BYTES = 9437184
SECTION_ALIGN_128BYTES = 8388608
SECTION_ALIGN_64BYTES = 7340032
SECTION_ALIGN_32BYTES = 6291456
SECTION_ALIGN_16BYTES = 5242880
SECTION_ALIGN_8BYTES = 4194304
SECTION_ALIGN_4BYTES = 3145728
SECTION_ALIGN_2BYTES = 2097152
SECTION_ALIGN_1BYTES = 1048576
SECTION_MEM_PRELOAD = 524288
SECTION_MEM_LOCKED = 262144
SECTION_MEM_16BIT = 131072
SECTION_MEM_PURGEABLE = 131072
SECTION_MEM_FARDATA = 32768
SECTION_GPREL = 32768
SECTION_NO_DEFER_SPEC_EXC = 16384
SECTION_LNK_COMDAT = 4096
SECTION_LNK_REMOVE = 2048
SECTION_LNK_INFO = 512
SECTION_LNK_OTHER = 256
SECTION_CNT_UNINITIALIZED_DATA = 128
SECTION_CNT_INITIALIZED_DATA = 64
SECTION_CNT_CODE = 32
SECTION_NO_PAD = 8
IMAGE_ROM_OPTIONAL_HDR_MAGIC = 263
IMAGE_NT_OPTIONAL_HDR64_MAGIC = 523
IMAGE_NT_OPTIONAL_HDR32_MAGIC = 267
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR = 14
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT = 13
IMAGE_DIRECTORY_ENTRY_IAT = 12
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT = 11
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG = 10
IMAGE_DIRECTORY_ENTRY_TLS = 9
IMAGE_DIRECTORY_ENTRY_GLOBALPTR = 8
IMAGE_DIRECTORY_ENTRY_COPYRIGHT = 7
IMAGE_DIRECTORY_ENTRY_ARCHITECTURE = 7
IMAGE_DIRECTORY_ENTRY_DEBUG = 6
IMAGE_DIRECTORY_ENTRY_BASERELOC = 5
IMAGE_DIRECTORY_ENTRY_SECURITY = 4
IMAGE_DIRECTORY_ENTRY_EXCEPTION = 3
IMAGE_DIRECTORY_ENTRY_RESOURCE = 2
IMAGE_DIRECTORY_ENTRY_IMPORT = 1
IMAGE_DIRECTORY_ENTRY_EXPORT = 0
BYTES_REVERSED_HI = 32768
UP_SYSTEM_ONLY = 16384
DLL = 8192
SYSTEM = 4096
NET_RUN_FROM_SWAP = 2048
REMOVABLE_RUN_FROM_SWAP = 1024
DEBUG_STRIPPED = 512
MACHINE_32BIT = 256
BYTES_REVERSED_LO = 128
LARGE_ADDRESS_AWARE = 32
AGGRESIVE_WS_TRIM = 16
LOCAL_SYMS_STRIPPED = 8
LINE_NUMS_STRIPPED = 4
EXECUTABLE_IMAGE = 2
RELOCS_STRIPPED = 1
TERMINAL_SERVER_AWARE = 32768
GUARD_CF = 16384
WDM_DRIVER = 8192
APPCONTAINER = 4096
NO_BIND = 2048
NO_SEH = 1024
NO_ISOLATION = 512
NX_COMPAT = 256
FORCE_INTEGRITY = 128
DYNAMIC_BASE = 64
HIGH_ENTROPY_VA = 32
SUBSYSTEM_WINDOWS_BOOT_APPLICATION = 16
SUBSYSTEM_XBOX = 14
SUBSYSTEM_EFI_ROM_IMAGE = 13
SUBSYSTEM_EFI_RUNTIME_DRIVER = 12
SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11
SUBSYSTEM_EFI_APPLICATION = 10
SUBSYSTEM_WINDOWS_CE_GUI = 9
SUBSYSTEM_NATIVE_WINDOWS = 8
SUBSYSTEM_POSIX_CUI = 7
SUBSYSTEM_OS2_CUI = 5
SUBSYSTEM_WINDOWS_CUI = 3
SUBSYSTEM_WINDOWS_GUI = 2
SUBSYSTEM_NATIVE = 1
SUBSYSTEM_UNKNOWN = 0
MACHINE_CEE = 49390
MACHINE_CEF = 3311
MACHINE_TRICORE = 1312
MACHINE_AXP64 = 644
MACHINE_ALPHA64 = 644
MACHINE_SH3E = 420
MACHINE_ALPHA = 388
MACHINE_R10000 = 360
MACHINE_R3000 = 354
MACHINE_TARGET_HOST = 1
MACHINE_WCEMIPSV2 = 361
MACHINE_THUMB = 450
MACHINE_SH5 = 424
MACHINE_SH4 = 422
MACHINE_SH3DSP = 419
MACHINE_SH3 = 418
MACHINE_R4000 = 358
MACHINE_POWERPCFP = 497
MACHINE_POWERPC = 496
MACHINE_MIPSFPU16 = 1126
MACHINE_MIPSFPU = 870
MACHINE_MIPS16 = 614
MACHINE_M32R = 36929
MACHINE_IA64 = 512
MACHINE_I386 = 332
MACHINE_EBC = 3772
MACHINE_ARM64 = 43620
MACHINE_ARMNT = 452
MACHINE_ARM = 448
MACHINE_AMD64 = 34404
MACHINE_AM33 = 467
MACHINE_UNKNOWN = 0
Content of the eicar.txt file
X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Same result with the eicar.zip test file from the wazuh doc I checked the yara_rules.yar file, the eicar is well declared.
Any idea about why there is not detection (YR_UNDEFINED) ?
Finally it works with sample like xbash (from the wazuh yara linux doc)
(the 554 is a debug file created by yara.bat)
I am also having this issue I don not get any alerts even thought my active response is running and in my windows machine I checked active-responses.log and found the result for the scan as shown below:
wazuh-yara: INFO - Scan result: SUSP_Just_EICAR_RID2C24 c:\users\pc-fahad\downloads\eicar.com
I am following the windows client part of the tutorial from this link:https://documentation.wazuh.com/current/proof-of-concept-guide/detect-malware-yara-integration.html
/var/ossec/etc/ossec.conf content:
<ossec_config>
<command>
<name>yara_windows</name>
<executable>yara.bat</executable>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<command>yara_windows</command>
<location>local</location>
<rules_id>100304</rules_id>
</active-response>
</ossec_config>
The local_decoder:
<decoder name="yara_decoder">
<prematch>wazuh-yara:</prematch>
</decoder>
<decoder name="yara_decoder1">
<parent>yara_decoder</parent>
<regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
<order>log_type, yara_rule, yara_scanned_file</order>
</decoder>
local_rules:
<group name="syscheck,">
<rule id="100303" level="7">
<if_sid>550</if_sid>
<field name="file">C:\\Users\\pc-fahad\\Downloads</field>
<description>File modified in C:\Users\pc-fahad\Downloads directory. Yara-</description>
</rule>
<rule id="100304" level="7">
<if_sid>554</if_sid>
<field name="file">C:\\Users\\pc-fahad\\Downloads</field>
<description>File added to C:\Users\pc-fahad\Downloads directory -Yara.</description>
</rule>
</group>
<group name="yara,">
<rule id="108000" level="0">
<decoded_as>yara_decoder</decoded_as>
<description>Yara grouping rule</description>
</rule>
<rule id="108001" level="12">
<if_sid>108000</if_sid>
<match>wazuh-yara: INFO - Scan result: </match>
<description>File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule)</description>
</rule>
</group>
I have been going on on this issue for the past two days ! everything works fine except I don't get any alerts on the Threat Hunting dashboard! I can see the file is being added and detected by Yara in File Integrity Monitoring dashboard and the script actually works fine I have added a line to delete the file if the yara result is positive on the client machine. yara.bat :
@echo off
setlocal enableDelayedExpansion
reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT
if %OS%==32BIT (
SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log"
)
if %OS%==64BIT (
SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log"
)
set input=
for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do (
set input=%%a
)
set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt"
set syscheck_file_path=
echo %input% > %json_file_path%
for /F "tokens=* USEBACKQ" %%F in (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) do (
set syscheck_file_path=%%F
)
del /f %json_file_path%
set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe"
set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar"
for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do (
echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path%
del %syscheck_file_path%
)
exit /b
any help is appreciated.
Yes the yara file from the doc is just an exemple of yara fil and should not be used for production. For more usefull yara rules -> yara forge
Eicar will be detected and other malwares families.
Yes the yara file from the doc is just an exemple of yara fil and should not be used for production. For more usefull yara rules -> yara forge
Eicar will be detected and other malwares families.
Yeah but the issue is not the rules it's not getting anything on the dashboard, but thanks.
my 2cts, i didnt read well.
Do you see your rule id triggered in the dashboard 100304 or at least the 554 ?
my 2cts, i didnt read well.
Do you see your rule id triggered in the dashboard 100304 or at least the 554 ?
I only get 100304 triggered in File Integrity Monitoring dashboard and the script is being executed fine by the active response I can confirm that by the test virus getting deleted and the active-responses.log file on my windows machine. But nothing on the Threat Hunting dashboard.
Followed the documentation: https://documentation.wazuh.com/current/proof-of-concept-guide/detect-malware-yara-integration.html to set up yara. But there was no alert when i tested it. I tried manually running yara.exe on command prompt and it worked
I then checked the active-responses.log and found that there was nothing related to yara, which i assume should not be the case if it was working properly. This lead me to believe that the yara.bat on my agent is not working properly as the line i added in ossec.conf to monitor "C:\Users\user\Downloads" is working properly (I was able to see files being added to that path). Is there anything i did wrong?
yara.bat
ossec.conf