环境部署
系统环境全都是CentOS 7.9
我们主要目的是在Wazuh上测试Yara,所以选择最快的部署方式
Manager的部署直接使用官方现有的ova文件导入虚拟机,参考Virtual Machine (OVA)
部署好之后我们直接访问虚拟机的ip地址即可,默认账号密码admin/admin,如果页面没加载出来只显示一行英文,尝试启动wazuh-indexer,systemctl start wazuh-indexer。
登录后在Agent面板有个Deploy new agent按钮,一台agent都没有的显示的直接就是这个界面,在里面选择需要装agent的endpoint的选项,组默认default,然后复制后面的命令到endpoint里执行就可以了。
sudo WAZUH_MANAGER='192.168.88.135' WAZUH_AGENT_GROUP='default' yum install https://packages.wazuh.com/4.x/yum/wazuh-agent-4.3.6-1.x86_64.rpm这里补充一个agent注册方法,当我们需要在一台已经装了agent的endpoint上重新连接新的manager的时候,可以参考Requesting the key ,使用密钥的方式。
TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://192.168.88.135:55000/security/user/authenticate?raw=true")
curl -k -X POST -d '{"name":"k8smaster"}' "https://192.168.88.135:55000/agents?pretty=true" -H "Content-Type:application/json" -H "Authorization: Bearer $TOKEN"请求后会返回一个Key,我们在endpoint上执行/var/ossec/bin/manage_agents -i <key>
然后再重启agent,systemctl restart wazuh-agent,就可以与manager连接。
Wazuh集成Yara
可以参考官方文档的集成Yara功能
Detecting malware using Yara integration
How to integrate Wazuh with YARA
这里对过程进行简要的记录
EndPoint配置
Yara部署可以参考 Compiling and installing YARA,注意这个仅需要在endpoint上安装即可
我们需要使用jq对wazuh的active-response功能所输出的json进行解析来传入我们的脚本
于是需要在endpoint上安装jq,jq找不到参考 centos7 yum 安装jq,命令如下
wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -ivh epel-release-latest-7.noarch.rpm
yum repolist
yum install jq我们使用yara官方开源的rule Yara-Rules 来测试yara功能是否能正常使用
yara命令参考:yara /home/yara/rules/index.yar /home/yara/malware/1.txt
测试会报错,显示规则文件中的一些函数不可用,到index.yar文件编辑,只留下webshell的include,其它的都注释掉或者删掉,然后我们添加一条自己的规则(如下),include到index.yar文件中去
rule silent_banker : banker
{
meta:
description = "This is just an example"
thread_level = 3
in_the_wild = true
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
$d = {4D 5A}
condition:
$a or $b or $c or $d
}测试会正常输出检测到的文件,
添加一个yara.sh脚本到/var/ossec/active-response/bin目录下
#!/bin/bash
# Wazuh - Yara active response
# Copyright (C) 2015-2022, Wazuh Inc.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
#------------------------- Gather parameters -------------------------#
# Static active response parameters
LOCAL=`dirname $0`
# Extra arguments
read -r INPUT_JSON
YARA_PATH=$(echo $INPUT_JSON | jq -r .parameters.extra_args[1])
YARA_RULES=$(echo $INPUT_JSON | jq -r .parameters.extra_args[3])
FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.syscheck.path)
COMMAND=$(echo $INPUT_JSON | jq -r .command)
# Move to the active response folder
cd $LOCAL
cd ../
# Set LOG_FILE path
PWD=`pwd`
LOG_FILE="${PWD}/../logs/active-responses.log"
#----------------------- Analyze parameters -----------------------#
if [[ ! $YARA_PATH ]] || [[ ! $YARA_RULES ]]
then
echo "wazuh-yara: ERROR - Yara active response error. Yara path and rules parameters are mandatory." >> ${LOG_FILE}
exit
fi
#------------------------ Analyze command -------------------------#
if [ ${COMMAND} = "add" ]
then
# Send control message to execd
printf '{"version":1,"origin":{"name":"yara","module":"active-response"},"command":"check_keys", "parameters":{"keys":[]}}\n'
read RESPONSE
COMMAND2=$(echo $RESPONSE | jq -r .command)
if [ ${COMMAND2} != "continue" ]
then
echo "wazuh-yara: INFO - Yara active response aborted." >> ${LOG_FILE}
exit 1;
fi
fi
#------------------------- Main workflow --------------------------#
# Execute Yara scan on the specified filename
yara_output="$("${YARA_PATH}"/yara -w -r "$YARA_RULES" "$FILENAME")"
if [[ $yara_output != "" ]]
then
# Iterate every detected rule and append it to the LOG_FILE
while read -r line; do
echo "wazuh-yara: INFO - Scan result: $line" >> ${LOG_FILE}
done <<< "$yara_output"
fi
exit 1;这个脚本的作用是为了响应active-response所编写的脚本,参考的json读取内容如下,注意这里低版本wazuh没有json输出给脚本文件读取,实测4.1.5无json输出,4.2.5可以
{
"version":1,
"origin":{
"name":"node01",
"module":"wazuh-execd"
},
"command":"add",
"parameters":{
"extra_args":["-yara_path",
"/usr/local/bin",
"-yara_rules",
"/home/yara/rules/index.yar"],
"alert":{
"timestamp":"2022-08-01T07:23:34.120+0000",
"rule":{
"level":7,
"description":"File added to /home/yara/malware/ directory.",
"id":"100301",
"firedtimes":1,
"mail":false,
"groups":["syscheck"]
},
"agent":{
"id":"002",
"name":"k8smaster",
"ip":"192.168.88.136"
},
"manager":{
"name":"wazuh-server"
},
"id":"1659338614.788337",
"full_log":"File '/home/yara/malware/5.txt' added\nMode: whodata\n",
"syscheck":{
"path":"/home/yara/malware/5.txt",
"mode":"whodata",
"size_after":"27",
"perm_after":"rw-r--r--",
"uid_after":"0",
"gid_after":"0",
"md5_after":"b0461abc874bd98d753a54fe83861cad",
"sha1_after":"673d0c5490e051efa2d317f6fb08d26732a91a44",
"sha256_after":"463e92b10416cfd4bfc402d1bf2dbda84f4a74db971dceede3cec07c3e4fef6d",
"uname_after":"root",
"gname_after":"root",
"mtime_after":"2022-08-01T07:23:34",
"inode_after":34679532,
"event":"added",
"audit":{
"user":{
"id":"0",
"name":"root"
},
"process":{
"id":"21354",
"name":"/usr/bin/cp",
"cwd":"/home/yara/malware",
"parent_name":"/usr/bin/bash",
"parent_cwd":"/home/yara/malware",
"ppid":"20631"
},
"group":{
"id":"0",
"name":"root"
},
"login_user":{
"id":"0",
"name":"root"
},
"effective_user":{
"id":"0",
"name":"root"
}
}
},
"decoder":{
"name":"syscheck_new_entry"
},
"location":"syscheck"
},
"program":"active-response/bin/yara.sh"
}
}要想再ossec.log输出如上结果需要在/var/ossec/etc/local_internal_options.conf 中配置execd.debug=2
这个脚本读取json随后将yara分析的结果以某种格式输出到/var/ossec/logs/active-responses.log文件中,参考格式如下
wazuh-yara: INFO - Scan result: silent_banker /home/yara/malware/5.txt还需要在endpoint中配置一个syscheck以表示需要wazuh监控该目录
<directories whodata="yes">/home/yara/malware</directories>whodata="yes"配置是否有效可以通过auditctl -l | grep wazuh检查,具体可参考官方Auditing who-data in Linux
每次修改ossec.conf都需要重启wazuh-agent才能生效,systemctl restart wazuh-agent
至此Agent的配置就好了
Manager配置
我们需要在Manager上配置active-response功能以主动响应
在/var/ossec/etc/ossec.conf中添加
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<command>
<name>yara</name>
<executable>yara.sh</executable>
<extra_args>-yara_path /usr/local/bin -yara_rules /home/yara/rules/index.yar</extra_args>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<command>yara</command>
<location>local</location>
<rules_id>100300,100301</rules_id>
</active-response>
</ossec_config>修改ossec.conf的配置需要重启manager,systemctl restart wazuh-manager
在/var/ossec/etc/rules目录下添加文件yara_rules.xml文件,内容如下
<group name="syscheck,">
<rule id="100300" level="7">
<if_sid>550</if_sid>
<field name="file">/home/yara/malware/</field>
<description>File modified in /home/yara/malware/ directory.</description>
</rule>
<rule id="100301" level="7">
<if_sid>554</if_sid>
<field name="file">/home/yara/malware/</field>
<description>File added to /home/yara/malware/ directory.</description>
</rule>
</group>
<group name="yara,">
<rule id="108000" level="0">
<decoded_as>yara_decoder</decoded_as>
<description>Yara grouping rule</description>
</rule>
<rule id="108001" level="12">
<if_sid>108000</if_sid>
<match>wazuh-yara: INFO - Scan result: </match>
<description>File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule)</description>
</rule>
</group>在/var/ossec/etc/decoders目录中添加文件yara_decoders.xml,内容如下
<decoder name="yara_decoder">
<prematch>wazuh-yara:</prematch>
</decoder>
<decoder name="yara_decoder1">
<parent>yara_decoder</parent>
<regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
<order>log_type, yara_rule, yara_scanned_file</order>
</decoder>流程是,通过监控/home/yara/malware/目录中的文件添加和修改动作,然后触发yara command执行sh脚本,写内容到endpoint的/var/ossec/logs/active-responses.log文件,wazuh监控到log文件的变化,读取后通过yara_decoder解析内容,匹配到后以一个新的rule.group为yara的组显示到Kibana界面上
至此流程拉通
Wazuh还有很多功能需要探索
能把官方文档看明白,wazuh就算入门了
若没有本文 Issue,您可以使用 Comment 模版新建。
GitHub Issues