diff --git a/yara integration b/yara integration
index 228faab..4d70f2e 100644
--- a/yara integration
+++ b/yara integration
@@ -1,39 +1,52 @@
###########################Wazuh Manager############
nano /var/ossec/etc/ossec.conf
+
yara
yara.sh
filename
- -yara_path /path/to/yara -yara_rules /path/to/rules
+ -yara_path /usr/bin -yara_rules /opt/yara_rules/rules/index.yar
no
+
yara
local
550,554
+
+
+
nano /var/ossec/etc/decoders/yara_decoders.xml
+
+
wazuh-yara:
-
+
yara
- info: (\S+) (\.+)
- yara_rule, file_path
+ wazuh-yara: (\S+) - Scan result: (\S+) (\S+)
+ log_type, yara_rule, yara_scanned_file
yara
- error: (\.+)
- error_message
+ wazuh-yara: (\S+) - Yara active response error. (\.+)
+ log_type, error_message
+
nano /var/ossec/etc/rules/yara_rules.xml
@@ -41,13 +54,13 @@ nano /var/ossec/etc/rules/yara_rules.xml
yara
YARA rules grouped.
-
+
100100
\.+
YARA error detected.
-
+
100100
\.+
@@ -56,37 +69,36 @@ nano /var/ossec/etc/rules/yara_rules.xml
+
##################Wazuh Agent####################
nano /var/ossec/active-response/bin/yara.sh
#!/bin/bash
+# Wazuh - Yara active response
+# Copyright (C) 2015-2021, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
#------------------------- Gather parameters -------------------------#
# Static active response parameters
-FILENAME=$8
LOCAL=`dirname $0`
# Extra arguments
-YARA_PATH=
-YARA_RULES=
-
-while [ "$1" != "" ]; do
- case $1 in
- -yara_path) shift
- YARA_PATH=$1
- ;;
- -yara_rules) shift
- YARA_RULES=$1
- ;;
- * ) shift
- esac
- shift
-done
+read -r INPUT_JSON
+YARA_PATH=$(echo $INPUT_JSON | jq -r .parameters.extra_args[1])
+YARA_RULES=$(echo $INPUT_JSON | jq -r .parameters.extra_args[3])
+FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.syscheck.path)
+COMMAND=$(echo $INPUT_JSON | jq -r .command)
# Move to the active response folder
cd $LOCAL
cd ../
+#time=$(date)
+#echo "$time $YARA_PATH $YARA_RULES" >> /home/ghaem.arasteh/printinput.txt
# Set LOG_FILE path
PWD=`pwd`
@@ -96,22 +108,36 @@ LOG_FILE="${PWD}/../logs/active-responses.log"
if [[ ! $YARA_PATH ]] || [[ ! $YARA_RULES ]]
then
- echo "wazuh-yara: error: Yara path and rules parameters are mandatory." >> ${LOG_FILE}
- exit
+ echo "wazuh-yara: ERROR - Yara active response error. Yara path and rules parameters are mandatory." >> ${LOG_FILE}
+ exit
fi
+#------------------------ Analyze command -------------------------#
+if [ ${COMMAND} = "add" ]
+then
+ # Send control message to execd
+ printf '{"version":1,"origin":{"name":"yara","module":"active-response"},"command":"check_keys", "parameters":{"keys":[]}}\n'
+
+ read RESPONSE
+ COMMAND2=$(echo $RESPONSE | jq -r .command)
+ if [ ${COMMAND2} != "continue" ]
+ then
+ echo "wazuh-yara: INFO - Yara active response aborted." >> ${LOG_FILE}
+ exit 1;
+ fi
+fi
#------------------------- Main workflow --------------------------#
-# Execute YARA scan on the specified filename
-yara_output=$(${YARA_PATH}/yara -w -r $YARA_RULES $FILENAME)
+# Execute Yara scan on the specified filename
+yara_output="$("${YARA_PATH}"/yara -w -r "$YARA_RULES" "$FILENAME")"
if [[ $yara_output != "" ]]
then
- # Iterate every detected rule and append it to the LOG_FILE
- while read -r line; do
- echo "wazuh-yara: info: $line" >> ${LOG_FILE}
- done <<< "$yara_output"
+ # Iterate every detected rule and append it to the LOG_FILE
+ while read -r line; do
+ echo "wazuh-yara: INFO - Scan result: $line" >> ${LOG_FILE}
+ done <<< "$yara_output"
fi
exit 1;