wazuh
wazuh copied to clipboard
Published
20 hours ago •
wazuh
wazuh
Migrate VirusTotal API to v3
Description
During the Python integrations monthly review in https://github.com/wazuh/internal-devel-requests/issues/967, we found that the VirusTotal API v2 is deprecated and was replaced with the version 3.
This issue aims to investigate and carry out the migration to the new version of the API.
[!Note] The API v2 to v3 Migration Guide guide might be useful.
Checks
The following elements have been updated or reviewed (should also be checked if no modification is required):
- [x] Tests (unit tests, API integration tests).
- [x] Changelog.
- [x] Documentation.
- [x] Integration test mapping (using
api/test/integration/mapping/_test_mapping.py).
-
I have been reading the changes to migrate Virustotal to v3.
-
I implemented the necessary changes for its operation.
-
I have been testing the changes made:
- The following configuration was added to
/var/ossec/etc/ossec.conf:
<integration>
<name>virustotal</name>
<api_key>xxxx</api_key> <!-- Replace with your VirusTotal API key -->
<rule_id>syscheck</rule_id>
<alert_format>json</alert_format>
</integration>
- Also added in
syscheck:
<directories check_all="yes" realtime="yes">/media/user/software</directories>
- After adding the configuration, a malicious file was created in the monitored folder:
root@wazuh-master:/# curl -Lo /media/user/software/suspicious-file.exe https://secure.eicar.org/eicar.com
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 68 100 68 0 0 251 0 --:--:-- --:--:-- --:--:-- 251
- And this was the output received in the
alerts.jsonfile:
root@wazuh-master:/# tail /var/ossec/logs/alerts/alerts.json | grep -i 'suspicious'
{"timestamp":"2024-03-20T17:22:38.327+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-master"},"manager":{"name":"wazuh-master"},"id":"1710955358.668671","cluster":{"name":"wazuh","node":"master-node"},"full_log":"File '/media/user/software/suspicious-file.exe' added\nMode: realtime\n","syscheck":{"path":"/media/user/software/suspicious-file.exe","mode":"realtime","size_after":"68","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"44d88612fea8a8f36de82e1278abb02f","sha1_after":"3395856ce81f2b7382dee72602f798b642f14140","sha256_after":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","uname_after":"root","gname_after":"root","mtime_after":"2024-03-20T17:22:38","inode_after":6176938,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}
- The creation of another file was verified:
root@wazuh-master:/media/user/software# touch newfile.txt
root@wazuh-master:/media/user/software# tail /var/ossec/logs/alerts/alerts.json | grep -i 'newfile'
{"timestamp":"2024-03-20T18:06:10.926+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-master"},"manager":{"name":"wazuh-master"},"id":"xxxxxxxxxxxxx","cluster":{"name":"wazuh","node":"master-node"},"full_log":"File '/media/user/software/newfile.txt' added\nMode: realtime\n","syscheck":{"path":"/media/user/software/newfile.txt","mode":"realtime","size_after":"0","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"xxxxxxxxxxxxx","sha1_after":"xxxxxxxxxxxxxxxxx","sha256_after":"xxxxxxxxxx","uname_after":"root","gname_after":"root","mtime_after":"2024-03-20T18:06:10","inode_after":6176746,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}
- More information :
root@wazuh-master:/media/user/software# cat /var/ossec/logs/integrations.log | grep virustotal
/tmp/virustotal-1710955251-516335709.alert d6430b91 10 3
/tmp/virustotal-1710955251-55574917.alert d6430b91 10 3
/tmp/virustotal-1710955262-26115536.alert d6430b91 10 3
/tmp/virustotal-1710955351-1769400092.alert d6430b91 10 3
/tmp/virustotal-1710955351-1469424968.alert d6430b91 10 3
/tmp/virustotal-1710955359-1780171292.alert d6430b91 10 3
/tmp/virustotal-1710955361-1171076279.alert d6430b91 10 3
/tmp/virustotal-1710957971--1153758077.alert d6430b91 10 3
- The tests need to be checked, and then it would be ready to open a PR.
Update
Performing tests to update the documentation on VirusTotal, I realized that error handling does not work as it should, here is an example:
Master branch:
When we add the configuration for the VirusTotal integration to /var/ossec/etc/ossec.conf with an invalid api_key, this is the output shown to us in alert.json:
root@wazuh-master:/# tail /var/ossec/logs/alerts/alerts.json | grep -i 'virustotal'
{"timestamp":"2024-03-22T10:37:51.437+0000","rule":{"level":3,"description":"VirusTotal: Error: Check credentials","id":"87102","firedtimes":1,"mail":false,"groups":["virustotal"],"gdpr":["IV_35.7.d","IV_32.2"]},"agent":{"id":"000","name":"wazuh-master"},"manager":{"name":"wazuh-master"},"id":"1711103871.667954","cluster":{"name":"wazuh","node":"master-node"},"decoder":{"name":"json"},"data":{"virustotal":{"error":"403","description":"Error: Check credentials"},"integration":"virustotal"},"location":"virustotal"}
In the log, you can see the "error":"403","description":"Error: Check credentials", indicating that the credentials are incorrect.
Performing the same tests in the branch where the changes were made, the alert.json does not show any output regarding the error:
root@wazuh-master:/# tail /var/ossec/logs/alerts/alerts.json | grep -i 'virustotal'
root@wazuh-master:/#
Update
As shown in the previous update, alerts.json was only receiving alerts about syscheck, which was not correctly making the call to the Virustotal API.
This was corrected and verified:
- The corresponding configuration was added in the
ossec.conf - A malicious file was created for testing purposes:
root@wazuh-master:/media/user/software# curl -Lo /media/user/software/suspicious-file.exe https://secure.eicar.org/eicar.com
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 68 100 68 0 0 263 0 --:--:-- --:--:-- --:--:-- 262
The output of alerts.json regarding the alerts generated from the file suspicious-file.exe was checked (As can be observed, two alerts are generated, one related to syscheck and one to virustotal):
{"timestamp":"2024-04-03T15:29:56.113+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-master"},"manager":{"name":"wazuh-master"},"id":"xxxxxxxxxxxx","cluster":{"name":"wazuh","node":"master-node"},"full_log":"File '/media/user/software/suspicious-file.exe' added\nMode: realtime\n","syscheck":{"path":"/media/user/software/suspicious-file.exe","mode":"realtime","size_after":"68","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"xxxxxxxxxxxxxxxx","sha1_after":"xxxxxxxxxxxxx","sha256_after":"xxxxxxxxxxxxxxxxx","uname_after":"root","gname_after":"root","mtime_after":"2024-04-03T15:29:56","inode_after":6175941,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}
{"timestamp":"2024-04-03T15:29:58.108+0000","rule":{"level":12,"description":"VirusTotal: Alert - /media/user/software/suspicious-file.exe - 66 engines detected this file","id":"87105","mitre":{"id":["T1203"],"tactic":["Execution"],"technique":["Exploitation for Client Execution"]},"firedtimes":2,"mail":true,"groups":["virustotal"],"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"000","name":"wazuh-master"},"manager":{"name":"wazuh-master"},"id":"xxxxxxxxxxxx","cluster":{"name":"wazuh","node":"master-node"},"decoder":{"name":"json"},"data":{"virustotal":{"found":"1","malicious":"1","source":{"alert_id":"xxxxxxxxx","file":"/media/user/software/suspicious-file.exe","md5":"xxxxxxxxxxxxxxxxxxxx","sha1":"xxxxxxxxxxxxxxxxxxxxx"},"sha1":"xxxxxxxxxxxxxxx","scan_date":"1712157832","positives":"66","total":"66","permalink":"https://www.virustotal.com/gui/file/44d88612fea8a8f36de82e1278abb02f/detection"},"integration":"virustotal"},"location":"virustotal"}
root@wazuh-master:/media/user/software# cat /var/ossec/logs/integrations.log | grep virustotal
/tmp/virustotal-1712158186--1175995037.alert 80c5axxxx254709f36b11a55606de5a2af2458f5f564eccd9b0627f5f7986 10 3
/tmp/virustotal-1712158196-683354059.alert 80c5axxxxx54709f36b11a55606de5a2af2458f5f564eccd9b0627f5f7986 10 3
The tests were also modified for their correct functioning.
unittest-env) wazuh@javier:~/Git/wazuh$ PYTHONPATH=/home/wazuh/Git/wazuh/api:/home/wazuh/Git/wazuh/framework python3 -m pytest integrations/tests/test_virustotal.py -v
=========================================================================================== test session starts ============================================================================================
platform linux -- Python 3.10.12, pytest-7.3.1, pluggy-1.4.0 -- /home/wazuh/venv/unittest-env/bin/python3
cachedir: .pytest_cache
metadata: {'Python': '3.10.12', 'Platform': 'Linux-6.5.0-17-generic-x86_64-with-glibc2.35', 'Packages': {'pytest': '7.3.1', 'pluggy': '1.4.0'}, 'Plugins': {'anyio': '4.3.0', 'aiohttp': '1.0.4', 'trio': '0.8.0', 'html': '2.1.1', 'metadata': '3.1.0', 'asyncio': '0.18.1', 'tavern': '1.23.5'}}
rootdir: /home/wazuh/Git/wazuh/integrations
configfile: pytest.ini
plugins: anyio-4.3.0, aiohttp-1.0.4, trio-0.8.0, html-2.1.1, metadata-3.1.0, asyncio-0.18.1, tavern-1.23.5
asyncio: mode=auto
collected 22 items
integrations/tests/test_virustotal.py::test_main_bad_arguments_exit PASSED [ 4%]
integrations/tests/test_virustotal.py::test_main_exception PASSED [ 9%]
integrations/tests/test_virustotal.py::test_main PASSED [ 13%]
integrations/tests/test_virustotal.py::test_process_args_exit[FileNotFoundError-6] PASSED [ 18%]
integrations/tests/test_virustotal.py::test_process_args_exit[side_effect1-7] PASSED [ 22%]
integrations/tests/test_virustotal.py::test_process_args PASSED [ 27%]
integrations/tests/test_virustotal.py::test_process_args_not_sending_message PASSED [ 31%]
integrations/tests/test_virustotal.py::test_debug PASSED [ 36%]
integrations/tests/test_virustotal.py::test_send_msg_raise_exception PASSED [ 40%]
integrations/tests/test_virustotal.py::test_send_msg PASSED [ 45%]
integrations/tests/test_virustotal.py::test_request_virustotal_info_md5_after_check_fail_1 PASSED [ 50%]
integrations/tests/test_virustotal.py::test_request_virustotal_info_md5_after_check_fail_2 PASSED [ 54%]
integrations/tests/test_virustotal.py::test_request_virustotal_info_md5_after_check_fail_3 PASSED [ 59%]
integrations/tests/test_virustotal.py::test_request_virustotal_info_md5_after_check_fail_4 PASSED [ 63%]
integrations/tests/test_virustotal.py::test_request_virustotal_info_md5_after_check_fail_5 PASSED [ 68%]
integrations/tests/test_virustotal.py::test_request_virustotal_info_md5_after_check_fail_6 PASSED [ 72%]
integrations/tests/test_virustotal.py::test_request_virustotal_info_md5_after_check_fail_7 PASSED [ 77%]
integrations/tests/test_virustotal.py::test_request_virustotal_info_md5_after_check_fail_8 PASSED [ 81%]
integrations/tests/test_virustotal.py::test_request_virustotal_info_md5_after_check_ok PASSED [ 86%]
integrations/tests/test_virustotal.py::test_request_info_from_api_exception PASSED [ 90%]
integrations/tests/test_virustotal.py::test_request_info_from_api_timeout_and_retries_expired PASSED [ 95%]
integrations/tests/test_virustotal.py::test_request_info_from_api_timeout_and_retries_not_expired PASSED [100%]
============================================================================================ 22 passed in 0.12s ===========================================================================================
The related documentation needs to be updated.
Update
-
I'm still debugging and looking for information on how errors are handled with VirusTotal v3, due to the following:
-
When the credentials are correct, the VirusTotal v3 API successfully handles malicious files:
Alert created when the scanned file was found and identified by the database as malware:
{"timestamp":"2024-04-04T12:57:29.670+0000","rule":{"level":12,"description":"VirusTotal: Alert - /media/user/software/suspicious-file.exe - 65 engines detected this file","id":"87105","mitre":{"id":["T1203"],"tactic":["Execution"],"technique":["Exploitation for Client Execution"]},"firedtimes":1,"mail":true,"groups":["virustotal"],"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"000","name":"wazuh-master"},"manager":{"name":"wazuh-master"},"id":"xxxxxxx","cluster":{"name":"wazuh","node":"master-node"},"decoder":{"name":"json"},"data":{"virustotal":{"found":"1","malicious":"1","source":{"alert_id":"1712235447.702063","file":"/media/user/software/suspicious-file.exe","md5":"xxxxxxx","sha1":"xxxxxxxx"},"sha1":"xxxxxx","scan_date":"1712235074","positives":"65","total":"65","permalink":"https://www.virustotal.com/gui/file/44d88612fea8a8f36de82e1278abb02f/detection"},"integration":"virustotal"},"location":"virustotal"}
"VirusTotal: Alert - /media/user/software/suspicious-file.exe - 65 engines detected this file"
Alert created when there are no threat records in the VirusTotal database:
{"timestamp":"2024-04-04T12:52:02.470+0000","rule":{"level":3,"description":"VirusTotal: Alert - /media/user/software/suspicious-file.exe - No positives found","id":"87104","firedtimes":1,"mail":false,"groups":["virustotal"]},"agent":{"id":"000","name":"wazuh-master"},"manager":{"name":"wazuh-master"},"id":"1712235122.698160","cluster":{"name":"wazuh","node":"master-node"},"decoder":{"name":"json"},"data":{"virustotal":{"found":"1","malicious":"0","source":{"alert_id":"1712235120.697470","file":"/media/user/software/kkkk.txt","md5":"xxxxxxxx","sha1":"xxxxxx"},"sha1":"xxxxxxxx","scan_date":"1712234008","positives":"0","total":"0","permalink":"https://www.virustotal.com/gui/file/d41d8cd98f00b204e9800998ecf8427e/detection"},"integration":"virustotal"},"location":"virustotal"}
VirusTotal: Alert - /media/user/software/suspicious-file.exe - No positives found"
Now, when the credentials are incorrect, it should display a message similar to the following:
{"timestamp":"2024-04-04T15:13:56.198+0000","rule":{"level":3,"description":"VirusTotal: Error: Check credentials","id":"87102","firedtimes":1,"mail":false,"groups":["virustotal"],"gdpr":["IV_35.7.d","IV_32.2"]},"agent":{"id":"000","name":"wazuh-master"},"manager":{"name":"wazuh-master"},"id":"1712243636.724220","cluster":{"name":"wazuh","node":"master-node"},"decoder":{"name":"json"},"data":{"virustotal":{"error":"403","description":"Error: Check credentials"},"integration":"virustotal"},"location":"virustotal"}
But this alert is not generated in alerts.json:
root@wazuh-master:/media/user/software# cat /var/ossec/logs/alerts/alerts.json | grep 'credentials'
In integrations.log :
# Error: VirusTotal credentials, required privileges error
# Request result from VT server: 1:virustotal:{"virustotal": {"error": 401, "description": "Error: Check credentials"}, "integration": "virustotal"}
Within integrations.log, it does show the error message about the credentials and the exception, but in alerts.json, the Virustotal API log like the one shown before is not
Update
- The issue mentioned in the previous update has been resolved. It was verified that alerts are generated when VirusTotal credentials are incorrect and when the API has reached the established speed limit:
{"timestamp":"2024-04-05T12:47:12.339+0000","rule":{"level":3,"description":"VirusTotal: Error: Check credentials","id":"87102","firedtimes":2,"mail":false,"groups":["virustotal"],"gdpr":["IV_35.7.d","IV_32.2"]},"agent":{"id":"000","name":"wazuh-master"},"manager":{"name":"wazuh-master"},"id":"1712321232.669676","cluster":{"name":"wazuh","node":"master-node"},"decoder":{"name":"json"},"data":{"virustotal":{"error":"401","description":"Error: Check credentials"},"integration":"virustotal"},"location":"virustotal"}
- The only reference regarding before in the status code was changed to
401because it is the one set in Virustotal when an authentication error occurs
Update
- It was being investigated about the mentioned errors regarding the integration of Virustotal
- I was testing the integration on the open branch of the issue, 4.8.0, 4.9.0, and master (5.0.0) correctly. No mentioned failure was found, and it seems that everything is working perfectly.
- Here are the steps followed to verify its operation:
- The Virustotal integration and the following syscheck were added to
/var/ossec/etc/ossec.conf:
<integration>
<name>virustotal</name>
<api_key>xxxxxxxxxxxxxxx</api_key> <!-- Replace with your VirusTotal API key -->
<group>syscheck</group>
<alert_format>json</alert_format>
</integration>
<directories check_all="yes" realtime="yes">/media/user/software</directories>
- I changed to
debug=2in/var/ossec/etc/internal_options.confforintegrator.debugandwazuh_modules.debug - I created the file for monitoring at
mkdir -p /media/user/software/ - I restarted the Wazuh server
- I added a malicious file once restarted :
curl -Lo /media/user/software/suspicious-file.exe https://secure.eicar.org/eicar.com
These previous steps were carried out the same in all the branches that were checked. Below are the results for each of them:
Branch of the issue
root@wazuh-master:/# var/ossec/bin/wazuh-control info
WAZUH_VERSION="v5.0.0"
WAZUH_REVISION="50000"
WAZUH_TYPE="server"
root@wazuh-master:/# grep -i 'error' /var/ossec/logs/integrations.log
root@wazuh-master:/# grep -i 'error' /var/ossec/logs/ossec.log
root@wazuh-master:/# grep -i 'ERROR: Exit status was: 1' /var/ossec/logs/ossec.log
root@wazuh-master:/# grep -i 'virustotal' /var/ossec/logs/ossec.log
2024/05/14 17:07:12 wazuh-integratord: INFO: Enabling integration for: 'virustotal'.
2024/05/14 17:09:21 wazuh-integratord[6573] integrator.c:143 at OS_IntegratorD(): INFO: Enabling integration for: 'virustotal'.
2024/05/14 17:09:35 wazuh-integratord[6573] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/virustotal-1715706575-1788759073.alert was written.
2024/05/14 17:09:35 wazuh-integratord[6573] integrator.c:444 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/virustotal-1715706575-1788759073.alert 80c5aebc8358254709f36b11a55606de5a2af2458f5f564eccd9b0627f5f7986 debug 10 3
2024/05/14 17:09:36 wazuh-integratord[6573] integrator.c:453 at OS_IntegratorD(): DEBUG: # Running VirusTotal script
2024/05/14 17:09:36 wazuh-integratord[6573] integrator.c:453 at OS_IntegratorD(): DEBUG: # Opening alert file at '/tmp/virustotal-1715706575-1788759073.alert' with '{'timestamp': '2024-05-14T17:09:34.414+0000', 'rule': {'level': 5, 'description': 'File added to the system.', 'id': '554', 'firedtimes': 1, 'mail': False, 'groups': ['ossec', 'syscheck', 'syscheck_entry_added', 'syscheck_file'], 'pci_dss': ['11.5'], 'gpg13': ['4.11'], 'gdpr': ['II_5.1.f'], 'hipaa': ['164.312.c.1', '164.312.c.2'], 'nist_800_53': ['SI.7'], 'tsc': ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'wazuh-master'}, 'manager': {'name': 'wazuh-master'}, 'id': 'xxxxxxx', 'cluster': {'name': 'wazuh', 'node': 'master-node'}, 'full_log': "File '/media/user/software/suspicious-file.exe' added\nMode: realtime\n", 'syscheck': {'path': '/media/user/software/suspicious-file.exe', 'mode': 'realtime', 'size_after': '68', 'perm_after': 'rw-r--r--', 'uid_after': '0', 'gid_after': '0', 'md5_after': 'xxxxxxxxxxxx', 'sha1_after': 'xxxxxxxxxxxxxxxx', 'sha256_after': 'xxxxxxxxxxxxxxxxxxxx', 'uname_after': 'root', 'gname_after': 'root', 'mtime_after': '2024-05-14T17:09:34', 'inode_after': 532010, 'event': 'added'}, 'decoder': {'name': 'syscheck_new_entry'}, 'location': 'syscheck'}'
2024/05/14 17:09:36 wazuh-integratord[6573] integrator.c:453 at OS_IntegratorD(): DEBUG: # Requesting VirusTotal information
2024/05/14 17:09:36 wazuh-integratord[6573] integrator.c:453 at OS_IntegratorD(): DEBUG: # Querying VirusTotal API
2024/05/14 17:09:36 wazuh-integratord[6573] integrator.c:453 at OS_IntegratorD(): DEBUG: # Request result from VT server: 1:virustotal:{"virustotal": {"found": 1, "malicious": 1, "source": {"alert_id": "1715706574.668671", "file": "/media/user/software/suspicious-file.exe", "md5": "xxxxxxxxxxxxxxxx", "sha1": "xxxxxxxxxxxxxxxxxxxxxx"}, "sha1": "xxxxxxxxxxxxxxxxxxx", "scan_date": 1715705383, "positives": 67, "total": 67, "permalink": "https://www.virustotal.com/gui/file/44d88612fea8a8f36de82e1278abb02f/detection"}, "integration": "virustotal"}
root@wazuh-master:/# grep -i 'virustotal' /var/ossec/logs/integrations.log
/tmp/virustotal-1715706575-1788759073.alert xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx debug 10 3
# Running VirusTotal script
# Opening alert file at '/tmp/virustotal-1715706575-1788759073.alert' with '{'timestamp': '2024-05-14T17:09:34.414+0000', 'rule': {'level': 5, 'description': 'File added to the system.', 'id': '554', 'firedtimes': 1, 'mail': False, 'groups': ['ossec', 'syscheck', 'syscheck_entry_added', 'syscheck_file'], 'pci_dss': ['11.5'], 'gpg13': ['4.11'], 'gdpr': ['II_5.1.f'], 'hipaa': ['164.312.c.1', '164.312.c.2'], 'nist_800_53': ['SI.7'], 'tsc': ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'wazuh-master'}, 'manager': {'name': 'wazuh-master'}, 'id': 'xxxxxx.668671', 'cluster': {'name': 'wazuh', 'node': 'master-node'}, 'full_log': "File '/media/user/software/suspicious-file.exe' added\nMode: realtime\n", 'syscheck': {'path': '/media/user/software/suspicious-file.exe', 'mode': 'realtime', 'size_after': '68', 'perm_after': 'rw-r--r--', 'uid_after': '0', 'gid_after': '0', 'md5_after': 'xxxxxxxxxxxxx', 'sha1_after': 'xxxxxxxxxxxxxx', 'sha256_after': 'xxxxxxxxxxxxxxxx', 'uname_after': 'root', 'gname_after': 'root', 'mtime_after': '2024-05-14T17:09:34', 'inode_after': 532010, 'event': 'added'}, 'decoder': {'name': 'syscheck_new_entry'}, 'location': 'syscheck'}'
# Requesting VirusTotal information
# Querying VirusTotal API
# Request result from VT server: 1:virustotal:{"virustotal": {"found": 1, "malicious": 1, "source": {"alert_id": "1715706574.668671", "file": "/media/user/software/suspicious-file.exe", "md5": "44d88612fea8a8f36de82e1278abb02f", "sha1": "xxxxxxxxxxxxxxxxxx"}, "sha1": "xxxxxxxxxxxxxxxxxxxx", "scan_date": 1715705383, "positives": 67, "total": 67, "permalink": "https://www.virustotal.com/gui/file/44d88612fea8a8f36de82e1278abb02f/detection"}, "integration": "virustotal"}
4.8.0
root@wazuh-master:/# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40810"
WAZUH_TYPE="server"
root@wazuh-master:/# grep -i 'error' /var/ossec/logs/integrations.log
root@wazuh-master:/# grep -i 'error' /var/ossec/logs/ossec.log
root@wazuh-master:/# grep -i 'ERROR: Exit status was: 1' /var/ossec/logs/ossec.log
root@wazuh-master:/# grep -i 'virustotal' /var/ossec/logs/ossec.log
2024/05/14 16:05:07 wazuh-integratord[14414] integrator.c:143 at OS_IntegratorD(): INFO: Enabling integration for: 'virustotal'.
2024/05/14 16:05:35 wazuh-integratord[14414] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/virustotal-1715702735--159918011.alert was written.
2024/05/14 16:05:35 wazuh-integratord[14414] integrator.c:444 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/virustotal-1715702735--159918011.alert 80c5aebc8358254709f36b11a55606de5a2af2458f5f564eccd9b0627f5f7986 debug 10 3
2024/05/14 16:05:36 wazuh-integratord[14414] integrator.c:453 at OS_IntegratorD(): DEBUG: # Running VirusTotal script
2024/05/14 16:05:36 wazuh-integratord[14414] integrator.c:453 at OS_IntegratorD(): DEBUG: # Opening alert file at '/tmp/virustotal-1715702735--159918011.alert' with '{'timestamp': '2024-05-14T16:05:35.033+0000', 'rule': {'level': 5, 'description': 'File added to the system.', 'id': '554', 'firedtimes': 1, 'mail': False, 'groups': ['ossec', 'syscheck', 'syscheck_entry_added', 'syscheck_file'], 'pci_dss': ['11.5'], 'gpg13': ['4.11'], 'gdpr': ['II_5.1.f'], 'hipaa': ['164.312.c.1', '164.312.c.2'], 'nist_800_53': ['SI.7'], 'tsc': ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'wazuh-master'}, 'manager': {'name': 'wazuh-master'}, 'id': 'xxxxxx.667138', 'cluster': {'name': 'wazuh', 'node': 'master-node'}, 'full_log': "File '/media/user/software/suspicious-file.exe' added\nMode: realtime\n", 'syscheck': {'path': '/media/user/software/suspicious-file.exe', 'mode': 'realtime', 'size_after': '68', 'perm_after': 'rw-r--r--', 'uid_after': '0', 'gid_after': '0', 'md5_after': 'xxxxxxxxxxxxxxx', 'sha1_after': 'xxxxxxxxxxxxxx', 'sha256_after': 'xxxxxxxxxxxxxxxx', 'uname_after': 'root', 'gname_after': 'root', 'mtime_after': '2024-05-14T16:05:35', 'inode_after': 6329870, 'event': 'added'}, 'decoder': {'name': 'syscheck_new_entry'}, 'location': 'syscheck'}'
2024/05/14 16:05:36 wazuh-integratord[14414] integrator.c:453 at OS_IntegratorD(): DEBUG: # Requesting VirusTotal information
2024/05/14 16:05:36 wazuh-integratord[14414] integrator.c:453 at OS_IntegratorD(): DEBUG: # Querying VirusTotal API
2024/05/14 16:05:36 wazuh-integratord[14414] integrator.c:453 at OS_IntegratorD(): DEBUG: # Request result from VT server: 1:virustotal:{"virustotal": {"found": 1, "malicious": 1, "source": {"alert_id": "xxxxxx.667138", "file": "/media/user/software/suspicious-file.exe", "md5": "xxxxxxxxxxxxxxxx", "sha1": "xxxxxxxxxxxxxxxxxxxxx"}, "sha1": "xxxxxxxxxxxxxxxxxxxx", "scan_date": 1715701258, "positives": 60, "total": 60, "permalink": "https://www.virustotal.com/gui/file/44d88612fea8a8f36de82e1278abb02f/detection"}, "integration": "virustotal"}
root@wazuh-master:/# grep -i 'virustotal' /var/ossec/logs/integrations.log
/tmp/virustotal-1715702735--159918011.alert 80c5aebc8358254709f36b11a55606de5a2af2458f5f564eccd9b0627f5f7986 debug 10 3
# Running VirusTotal script
# Opening alert file at '/tmp/virustotal-1715702735--159918011.alert' with '{'timestamp': '2024-05-14T16:05:35.033+0000', 'rule': {'level': 5, 'description': 'File added to the system.', 'id': '554', 'firedtimes': 1, 'mail': False, 'groups': ['ossec', 'syscheck', 'syscheck_entry_added', 'syscheck_file'], 'pci_dss': ['11.5'], 'gpg13': ['4.11'], 'gdpr': ['II_5.1.f'], 'hipaa': ['164.312.c.1', '164.312.c.2'], 'nist_800_53': ['SI.7'], 'tsc': ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'wazuh-master'}, 'manager': {'name': 'wazuh-master'}, 'id': '1715702735.667138', 'cluster': {'name': 'wazuh', 'node': 'master-node'}, 'full_log': "File '/media/user/software/suspicious-file.exe' added\nMode: realtime\n", 'syscheck': {'path': '/media/user/software/suspicious-file.exe', 'mode': 'realtime', 'size_after': '68', 'perm_after': 'rw-r--r--', 'uid_after': '0', 'gid_after': '0', 'md5_after': 'xxxxxxxxxxxxxxxxxx', 'sha1_after': '3395856ce81f2b7382dee72602f798b642f14140', 'sha256_after': 'xxxxxxxxxxxxxxxx', 'uname_after': 'root', 'gname_after': 'root', 'mtime_after': '2024-05-14T16:05:35', 'inode_after': 6329870, 'event': 'added'}, 'decoder': {'name': 'syscheck_new_entry'}, 'location': 'syscheck'}'
# Requesting VirusTotal information
# Querying VirusTotal API
# Request result from VT server: 1:virustotal:{"virustotal": {"found": 1, "malicious": 1, "source": {"alert_id": "xxxxxxxx.667138", "file": "/media/user/software/suspicious-file.exe", "md5": "xxxxxxxxxxx", "sha1": "xxxxxxxxxxxxxxxxxxxx"}, "sha1": "xxxxxxxxxxxxxxxxxxxxxx", "scan_date": 1715701258, "positives": 60, "total": 60, "permalink": "https://www.virustotal.com/gui/file/44d88612fea8a8f36de82e1278abb02f/detection"}, "integration": "virustotal"}
4.9.0
root@wazuh-master:/# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.9.0"
WAZUH_REVISION="40900"
WAZUH_TYPE="server"
root@wazuh-master:/# grep -i 'error' /var/ossec/logs/integrations.log
root@wazuh-master:/# grep -i 'error' /var/ossec/logs/ossec.log
root@wazuh-master:/# grep -i 'ERROR: Exit status was: 1' /var/ossec/logs/ossec.log
root@wazuh-master:/# grep -i 'virustotal' /var/ossec/logs/ossec.log
2024/05/14 16:36:27 wazuh-integratord[7515] integrator.c:143 at OS_IntegratorD(): INFO: Enabling integration for: 'virustotal'.
2024/05/14 16:36:34 wazuh-integratord[14055] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/virustotal-1715704594-1898674172.alert was written.
2024/05/14 16:36:34 wazuh-integratord[14055] integrator.c:444 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/virustotal-1715704594-1898674172.alert 80c5aebc8358254709f36b11a55606de5a2af2458f5f564eccd9b0627f5f7986 debug 10 3
2024/05/14 16:36:36 wazuh-integratord[14055] integrator.c:453 at OS_IntegratorD(): DEBUG: # Running VirusTotal script
2024/05/14 16:36:36 wazuh-integratord[14055] integrator.c:453 at OS_IntegratorD(): DEBUG: # Opening alert file at '/tmp/virustotal-1715704594-1898674172.alert' with '{'timestamp': '2024-05-14T16:36:33.815+0000', 'rule': {'level': 5, 'description': 'File added to the system.', 'id': '554', 'firedtimes': 1, 'mail': False, 'groups': ['ossec', 'syscheck', 'syscheck_entry_added', 'syscheck_file'], 'pci_dss': ['11.5'], 'gpg13': ['4.11'], 'gdpr': ['II_5.1.f'], 'hipaa': ['164.312.c.1', '164.312.c.2'], 'nist_800_53': ['SI.7'], 'tsc': ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'wazuh-master'}, 'manager': {'name': 'wazuh-master'}, 'id': 'xxxxxxxxxxxxx.672317', 'cluster': {'name': 'wazuh', 'node': 'master-node'}, 'full_log': "File '/media/user/software/suspicious-file.exe' added\nMode: realtime\n", 'syscheck': {'path': '/media/user/software/suspicious-file.exe', 'mode': 'realtime', 'size_after': '68', 'perm_after': 'rw-r--r--', 'uid_after': '0', 'gid_after': '0', 'md5_after': 'xxxxxxxxxxxxx', 'sha1_after': 'xxxxxxxxxxxxx', 'sha256_after': 'xxxxxxxxxxxxxxxxx', 'uname_after': 'root', 'gname_after': 'root', 'mtime_after': '2024-05-14T16:36:33', 'inode_after': 146261, 'event': 'added'}, 'decoder': {'name': 'syscheck_new_entry'}, 'location': 'syscheck'}'
2024/05/14 16:36:36 wazuh-integratord[14055] integrator.c:453 at OS_IntegratorD(): DEBUG: # Requesting VirusTotal information
2024/05/14 16:36:36 wazuh-integratord[14055] integrator.c:453 at OS_IntegratorD(): DEBUG: # Querying VirusTotal API
2024/05/14 16:36:36 wazuh-integratord[14055] integrator.c:453 at OS_IntegratorD(): DEBUG: # Request result from VT server: 1:virustotal:{"virustotal": {"found": 1, "malicious": 1, "source": {"alert_id": "xxxxxxxxxxxxxxxxx.672317", "file": "/media/user/software/suspicious-file.exe", "md5": "xxxxxxxxxxxxxxxxxx", "sha1": "xxxxxxxxxxxxxx"}, "sha1": "xxxxxxxxxxxxx", "scan_date": 1715703145, "positives": 62, "total": 62, "permalink": "https://www.virustotal.com/gui/file/44d88612fea8a8f36de82e1278abb02f/detection"}, "integration": "virustotal"}
root@wazuh-master:/# grep -i 'virustotal' /var/ossec/logs/integrations.log
/tmp/virustotal-1715704594-1898674172.alert 80c5aebc8358254709f36b11a55606de5a2af2458f5f564eccd9b0627f5f7986 debug 10 3
# Running VirusTotal script
# Opening alert file at '/tmp/virustotal-1715704594-1898674172.alert' with '{'timestamp': '2024-05-14T16:36:33.815+0000', 'rule': {'level': 5, 'description': 'File added to the system.', 'id': '554', 'firedtimes': 1, 'mail': False, 'groups': ['ossec', 'syscheck', 'syscheck_entry_added', 'syscheck_file'], 'pci_dss': ['11.5'], 'gpg13': ['4.11'], 'gdpr': ['II_5.1.f'], 'hipaa': ['164.312.c.1', '164.312.c.2'], 'nist_800_53': ['SI.7'], 'tsc': ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'wazuh-master'}, 'manager': {'name': 'wazuh-master'}, 'id': 'xxxxxxxxxxxxxx.672317', 'cluster': {'name': 'wazuh', 'node': 'master-node'}, 'full_log': "File '/media/user/software/suspicious-file.exe' added\nMode: realtime\n", 'syscheck': {'path': '/media/user/software/suspicious-file.exe', 'mode': 'realtime', 'size_after': '68', 'perm_after': 'rw-r--r--', 'uid_after': '0', 'gid_after': '0', 'md5_after': 'xxxxxxxxxxxxx', 'sha1_after': 'xxxxxxxxxxxxxxxxxx', 'sha256_after': 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx', 'uname_after': 'root', 'gname_after': 'root', 'mtime_after': '2024-05-14T16:36:33', 'inode_after': 146261, 'event': 'added'}, 'decoder': {'name': 'syscheck_new_entry'}, 'location': 'syscheck'}'
# Requesting VirusTotal information
# Querying VirusTotal API
# Request result from VT server: 1:virustotal:{"virustotal": {"found": 1, "malicious": 1, "source": {"alert_id": "xxxxxxxxxxxxxx.672317", "file": "/media/user/software/suspicious-file.exe", "md5": "xxxxxxxxxxxxxxxxxxx", "sha1": "xxxxxxxxxxxxxxxxxxxxxxxx"}, "sha1": "xxxxxxxxxxxxxxxxxxxxxx", "scan_date": 1715703145, "positives": 62, "total": 62, "permalink": "https://www.virustotal.com/gui/file/44d88612fea8a8f36de82e1278abb02f/detection"}, "integration": "virustotal"}
master(5.0.0)
root@wazuh-master:/# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v5.0.0"
WAZUH_REVISION="50000"
WAZUH_TYPE="server"
root@wazuh-master:/# grep -i 'error' /var/ossec/logs/integrations.log
root@wazuh-master:/# grep -i 'error' /var/ossec/logs/ossec.log
root@wazuh-master:/# grep -i 'ERROR: Exit status was: 1' /var/ossec/logs/ossec.log
root@wazuh-master:/# grep -i 'virustotal' /var/ossec/logs/ossec.log
2024/05/14 16:56:00 wazuh-integratord[5749] integrator.c:143 at OS_IntegratorD(): INFO: Enabling integration for: 'virustotal'.
2024/05/14 16:56:22 wazuh-integratord[5749] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/virustotal-1715705782-1140879432.alert was written.
2024/05/14 16:56:22 wazuh-integratord[5749] integrator.c:444 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/virustotal-1715705782-1140879432.alert 80c5aebc8358254709f36b11a55606de5a2af2458f5f564eccd9b0627f5f7986 debug 10 3
2024/05/14 16:56:22 wazuh-integratord[5749] integrator.c:453 at OS_IntegratorD(): DEBUG: # Running VirusTotal script
2024/05/14 16:56:22 wazuh-integratord[5749] integrator.c:453 at OS_IntegratorD(): DEBUG: # Opening alert file at '/tmp/virustotal-1715705782-1140879432.alert' with '{'timestamp': '2024-05-14T16:56:21.266+0000', 'rule': {'level': 5, 'description': 'File added to the system.', 'id': '554', 'firedtimes': 1, 'mail': False, 'groups': ['ossec', 'syscheck', 'syscheck_entry_added', 'syscheck_file'], 'pci_dss': ['11.5'], 'gpg13': ['4.11'], 'gdpr': ['II_5.1.f'], 'hipaa': ['164.312.c.1', '164.312.c.2'], 'nist_800_53': ['SI.7'], 'tsc': ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'wazuh-master'}, 'manager': {'name': 'wazuh-master'}, 'id': 'xxxxxxxxxxxxxxxxxx.667540', 'cluster': {'name': 'wazuh', 'node': 'master-node'}, 'full_log': "File '/media/user/software/suspicious-file.exe' added\nMode: realtime\n", 'syscheck': {'path': '/media/user/software/suspicious-file.exe', 'mode': 'realtime', 'size_after': '68', 'perm_after': 'rw-r--r--', 'uid_after': '0', 'gid_after': '0', 'md5_after': 'xxxxxxxxxxxxxxxxxxxx', 'sha1_after': 'xxxxxxxxxxxxxxxxxxx', 'sha256_after': 'xxxxxxxxxxxxxxxxxxxxxx', 'uname_after': 'root', 'gname_after': 'root', 'mtime_after': '2024-05-14T16:56:21', 'inode_after': 321758, 'event': 'added'}, 'decoder': {'name': 'syscheck_new_entry'}, 'location': 'syscheck'}'
2024/05/14 16:56:22 wazuh-integratord[5749] integrator.c:453 at OS_IntegratorD(): DEBUG: # Requesting VirusTotal information
2024/05/14 16:56:22 wazuh-integratord[5749] integrator.c:453 at OS_IntegratorD(): DEBUG: # Querying VirusTotal API
2024/05/14 16:56:22 wazuh-integratord[5749] integrator.c:453 at OS_IntegratorD(): DEBUG: # Request result from VT server: 1:virustotal:{"virustotal": {"found": 1, "malicious": 1, "source": {"alert_id": "1715705781.667540", "file": "/media/user/software/suspicious-file.exe", "md5": "xxxxxxxxxxxxxxxxxxxxxxxx", "sha1": "xxxxxxxxxxxxxxxxxxxxxxx"}, "sha1": "xxxxxxxxxxxxxxx", "scan_date": 1715705383, "positives": 67, "total": 67, "permalink": "https://www.virustotal.com/gui/file/44d88612fea8a8f36de82e1278abb02f/detection"}, "integration": "virustotal"}
root@wazuh-master:/# grep -i 'virustotal' /var/ossec/logs/integrations.log
/tmp/virustotal-1715705782-1140879432.alert 80c5aebc8358254709f36b11a55606de5a2af2458f5f564eccd9b0627f5f7986 debug 10 3
# Running VirusTotal script
# Opening alert file at '/tmp/virustotal-1715705782-1140879432.alert' with '{'timestamp': '2024-05-14T16:56:21.266+0000', 'rule': {'level': 5, 'description': 'File added to the system.', 'id': '554', 'firedtimes': 1, 'mail': False, 'groups': ['ossec', 'syscheck', 'syscheck_entry_added', 'syscheck_file'], 'pci_dss': ['11.5'], 'gpg13': ['4.11'], 'gdpr': ['II_5.1.f'], 'hipaa': ['164.312.c.1', '164.312.c.2'], 'nist_800_53': ['SI.7'], 'tsc': ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'wazuh-master'}, 'manager': {'name': 'wazuh-master'}, 'id': 'xxxxxxxxxxxxxxxxxx.667540', 'cluster': {'name': 'wazuh', 'node': 'master-node'}, 'full_log': "File '/media/user/software/suspicious-file.exe' added\nMode: realtime\n", 'syscheck': {'path': '/media/user/software/suspicious-file.exe', 'mode': 'realtime', 'size_after': '68', 'perm_after': 'rw-r--r--', 'uid_after': '0', 'gid_after': '0', 'md5_after': 'xxxxxxxxxxxxxxxxxxxx', 'sha1_after': 'xxxxxxxxxxxxxxxxxxxxxxxx', 'sha256_after': 'xxxxxxxxxxxxxxxxxxxxxx', 'uname_after': 'root', 'gname_after': 'root', 'mtime_after': '2024-05-14T16:56:21', 'inode_after': 321758, 'event': 'added'}, 'decoder': {'name': 'syscheck_new_entry'}, 'location': 'syscheck'}'
# Requesting VirusTotal information
# Querying VirusTotal API
# Request result from VT server: 1:virustotal:{"virustotal": {"found": 1, "malicious": 1, "source": {"alert_id": "xxxxxxxxxxxxxxxxxxxx.667540", "file": "/media/user/software/suspicious-file.exe", "md5": "xxxxxxxxxxxxxxxxx", "sha1": "xxxxxxxxxxxxxxxxxxxxxxxx"}, "sha1": "xxxxxxxxxxxxxxxxxxx", "scan_date": 1715705383, "positives": 67, "total": 67, "permalink": "https://www.virustotal.com/gui/file/44d88612fea8a8f36de82e1278abb02f/detection"}, "integration": "virustotal"}
Reopening until docs are merged, since the issue was automatically closed when merging https://github.com/wazuh/wazuh/pull/22626
