Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Manual testing - Virus total integration #2970

Closed
14 tasks done
FrancoRivero opened this issue Jun 6, 2022 · 9 comments
Closed
14 tasks done

Manual testing - Virus total integration #2970

FrancoRivero opened this issue Jun 6, 2022 · 9 comments
Assignees
@CamiRomero
Labels
dev-testing feature/fim

Comments

@FrancoRivero
Copy link

FrancoRivero commented Jun 6, 2022
edited by CamiRomero
Loading

Related issue Related PR
wazuh/wazuh#8199 wazuh/wazuh#13531

Description

This issue aims to perform manual tests on the fix applied to the virustotal integration with Wazuh. As described in the related issue, now when reading a generated alert it will be read using utf-16 and if it could not be encoded it will be skipped and read the same to detect all character types.

Test cases

The main test case is described in the pull request description ( wazuh/wazuh#13531). Set the FIM module in real time mode and configure the integration of virustotal in the manager.

  • 4.3.4: Reproduce failure to Virus total integration.
    • Windows
    • Ubuntu
    • Centos
    • Macos
    • Solaris
  • 4.4.0: Test Virus total integration.
    • Windows
    • Ubuntu
    • Centos
    • Macos
    • Solaris
  • 4.3.4 to 4.4.0: Upgrade the Wazuh Manager and test Virus total integration.
    • Windows
@jmv74211 jmv74211 added this to the Core PRs approval - 4.4.0 milestone Jun 8, 2022
@CamiRomero
Copy link
Contributor

CamiRomero commented Jun 9, 2022
edited
Loading

4.3.4: Reproduce failure to Virus total integration.

Package details

Test information

Wazuh version Wazuh revision Component Install type Install method Platform
4.3.4 40316 virustotal-scan Manager Packages CentOS-8
Wazuh version Wazuh revision Component Install type Install method Platform
4.3.4 40316 virustotal-scan Agent Packages Windows
Reproduce failure in Virus total integration 🟢
  1. Edit the /var/ossec/etc/ossec.conf configuration on manager adding:
<integration>
  <name>virustotal</name>
  <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>
  1. Edit the /var/ossec/etc/ossec.conf configuration on agent - Using FIM to monitor a directory:
<directories check_all="yes" realtime="yes">DIRECTORY_TO_MONITOR</directories>
  1. Restart the agent and manager in order to apply the changes
  2. Create a file with name that does not contain utf-8 characters in the folder under scanning.
Example name: tésting.txt
  1. We can see the below error in ossec.log:
2022/06/03 14:57:05 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2022/06/03 14:57:05 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: UnicodeDecodeError: 'utf-8' codec can't decode byte 0xe9 in position 570: invalid continuation byte
 
2022/06/03 14:57:05 wazuh-integratord: ERROR: Exit status was: 1

@CamiRomero
Copy link
Contributor

CamiRomero commented Jun 10, 2022
edited
Loading

4.4.0: Test Virus total integration

Package details

Test information

Wazuh version Wazuh revision Component Install type Install method Platform
4.4.0 40400 virustotal-scan Manager Packages CentOS-8
Wazuh version Wazuh revision Component Install type Install method Platform
4.4.0 40400 virustotal-scan Agent Packages Windows
Test Virus total integration 🔴
  1. Edit the /var/ossec/etc/ossec.conf configuration on manager adding:
<integration>
  <name>virustotal</name>
  <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>
  1. Edit the /var/ossec/etc/ossec.conf configuration on agent - Using FIM to monitor a directory:
<directories check_all="yes" realtime="yes">DIRECTORY_TO_MONITOR</directories>
  1. Restart the agent and manager in order to apply the changes
  2. Create a file with name that does not contain utf-8 characters in the folder under scanning.
Example name: tésting.txt
  1. We can see the below error in ossec.log:
2022/06/03 14:35:05 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2022/06/03 14:35:05 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: UnicodeError: UTF-16 stream does not start with BOM
 
2022/06/03 14:35:05 wazuh-integratord: ERROR: Exit status was: 1

Open an Issue in Wazuh/Wazuh

@CamiRomero
Copy link
Contributor

4.3.4 to 4.4.0: Upgrade the Wazuh Manager and test Virus total integration

This test will be run when Issue is solved

@CamiRomero
Copy link
Contributor

CamiRomero commented Jun 15, 2022
edited
Loading

Test on Windows

Reproduce Test Case on 4.3.4

Package details

Test information

Wazuh version Wazuh revision Component Install type Install method Platform
4.3.4 40316 virustotal-scan Manager Packages CentOS-8
4.3.4 40316 virustotal-scan Agent Packages Windows
Reproduce failure in Virus total integration 🟢

  1. Edit the /var/ossec/etc/ossec.conf configuration on manager adding:

    <integration>
  <name>virustotal</name>
  <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>

  2. Edit the C:\Program Files (x86)\ossec-agent\ossec.conf configuration on agent - Using FIM to monitor a directory:

    <directories check_all="yes" realtime="yes">DIRECTORY_TO_MONITOR</directories>

  3. Restart the agent and manager in order to apply the changes

  4. Create a file with a name that does not contain UTF-8 characters in the folder under scanning.

    Example name: tésting.txt

  5. We can see the below error in ossec.log:

    2022/06/15 15:20:39 rootcheck: INFO: Ending rootcheck scan.
2022/06/15 15:21:06 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2022/06/15 15:21:06 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: UnicodeDecodeError: 'utf-8' codec can't decode byte 0xe9 in position 569: invalid continuation byte
 
2022/06/15 15:21:06 wazuh-integratord: ERROR: Exit status was: 1

Reproduce Test Case on Branch 8199-virustotal-enconding

Package details

Test information

Wazuh version Wazuh revision Component Install type Install method Platform
4.4.0 40400 virustotal-scan Manager Packages CentOS-8
4.4.0 40400 virustotal-scan Agent Packages Windows
Test Virus total integration 🟢

  1. Edit the /var/ossec/etc/ossec.conf configuration on manager adding:

    <integration>
  <name>virustotal</name>
  <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>

  2. Edit the C:\Program Files (x86)\ossec-agent\ossec.conf configuration on agent - Using FIM to monitor a directory:

    <directories check_all="yes" realtime="yes">DIRECTORY_TO_MONITOR</directories>

  3. Restart the agent and manager in order to apply the changes

  4. Create a file with a name that does not contain UTF-8 characters in the folder under scanning.

    Example name: tésting.txt

  5. We can see the below log in /var/ossec/logs/integrations.log:

    Wed Jun 15 15:50:18 UTC 2022 /tmp/virustotal-1655308218--1043570507.alert df80e208b8628e60266c375f95936c55bf11c5ccc1336e229ef406883cd6eb60   > /dev/null 2>&1

  6. We can see the below alert in /var/ossec/logs/alerts/alerts.log

    ** Alert 1655308563.1857299: - virustotal,
2022 Jun 15 15:56:03 (WIN-JLGVA4CR4VI) FE80:0000:0000:0000:B1E6:42AF:E199:1398->virustotal
Rule: 87104 (level 3) -> 'VirusTotal: Alert - c:\users\vagrant\desktop\testing\tsting.txt - No positives found'
{"virustotal": {"found": 1, "malicious": 0, "source": {"alert_id": "1655308562.1856042", "file": "c:\\users\\vagrant\\desktop\\testing\\tsting.txt", "md5": "7215ee9c7d9dc229d2921a40e899ec5f", "sha1": "b858cb282617fb0956d960215c8e84d1ccf909c6"}, "sha1": "b858cb282617fb0956d960215c8e84d1ccf909c6", "scan_date": "2022-06-14 12:10:08", "positives": 0, "total": 56, "permalink": "https://www.virustotal.com/gui/file/36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068/detection/f-36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068-1655208608"}, "integration": "virustotal"}
virustotal.found: 1
virustotal.malicious: 0
virustotal.source.alert_id: 1655308562.1856042
virustotal.source.file: c:\users\vagrant\desktop\testing\tsting.txt
virustotal.source.md5: 7215ee9c7d9dc229d2921a40e899ec5f
virustotal.source.sha1: b858cb282617fb0956d960215c8e84d1ccf909c6
virustotal.sha1: b858cb282617fb0956d960215c8e84d1ccf909c6
virustotal.scan_date: 2022-06-14 12:10:08
virustotal.positives: 0
virustotal.total: 56
virustotal.permalink: https://www.virustotal.com/gui/file/36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068/detection/f-36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068-1655208608
integration: virustotal

Note: Please note that the alert suppress character with non UTF-8 - Reported in Issue
'VirusTotal: Alert - c:\users\vagrant\desktop\testing\tsting.txt - No positives found'

@CamiRomero
Copy link
Contributor

CamiRomero commented Jun 15, 2022
edited
Loading

Test on CentOS

Reproduce Test Case on 4.3.4

Package details

Test information

Wazuh version Wazuh revision Component Install type Install method Platform
4.3.4 40316 virustotal-scan Manager Packages CentOS-8
4.3.4 40316 virustotal-scan Agent Packages CentOS-8
Reproduce failure in Virus total integration - the test cases is not reproduce 🟢

  1. Edit the /var/ossec/etc/ossec.conf configuration on manager adding:

    <integration>
  <name>virustotal</name>
  <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>

  2. Edit the /var/ossec/etc/ossec.conf configuration on agent - Using FIM to monitor a directory:

    <directories check_all="yes" realtime="yes">DIRECTORY_TO_MONITOR</directories>

  3. Restart the agent and manager in order to apply the changes

  4. Create a file with name that does not contain utf-8 characters in the folder under scanning.

    Example name: tésting.txt

  5. We can see the below log in /var/ossec/logs/integrations.log:

    Fri May 27 18:29:51 UTC 2022 /tmp/virustotal-1653676191-1531012688.alert df80e208b8628e60266c375f95936c55bf11c5ccc1336e229ef406883cd6eb60   > /dev/null 2>&1

  6. We can see the below alert in /var/ossec/logs/alerts/alerts.log:

    virustotal.source.file: /home/vagrant/testing/tésting.txt
virustotal.source.md5: d41d8cd98f00b204e9800998ecf8427e
virustotal.source.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709
virustotal.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709
virustotal.scan_date: 2022-06-15 16:59:08
virustotal.positives: 0
virustotal.total: 55
virustotal.permalink: https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655312348
integration: virustotal

Note: We can note that the error does not occur in prod.

Reproduce Test Case on Branch 8199-virustotal-enconding

Package details

Test information

Wazuh version Wazuh revision Component Install type Install method Platform
4.4.0 40400 virustotal-scan Manager Packages CentOS-8
4.4.0 40400 virustotal-scan Agent Packages CentOS-8
Test Virus total integration 🟢

  1. Edit the /var/ossec/etc/ossec.conf configuration on manager adding:

    <integration>
  <name>virustotal</name>
  <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>

  2. Edit the /var/ossec/etc/ossec.conf configuration on agent - Using FIM to monitor a directory:

    <directories check_all="yes" realtime="yes">DIRECTORY_TO_MONITOR</directories>

  3. Restart the agent and manager in order to apply the changes

  4. Create a file with name that does not contain utf-8 characters in the folder under scanning.

    Example name: tésting.txt

  5. We can see the below log in /var/ossec/logs/integrations.log:

    Wed Jun 15 15:49:21 UTC 2022 /tmp/virustotal-1655308161-1785722622.alert df80e208b8628e60266c375f95936c55bf11c5ccc1336e229ef406883cd6eb60   > /dev/null 2>&1

  6. We can see the below alert in /var/ossec/logs/alerts/alerts.log

    ** virustotal.source.file: /home/vagrant/testing/tésting.txt
virustotal.source.md5: d41d8cd98f00b204e9800998ecf8427e
virustotal.source.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709
virustotal.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709
virustotal.scan_date: 2022-06-15 17:12:49
virustotal.positives: 0
virustotal.total: 55
virustotal.permalink: https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655313169
integration: virustotal

@CamiRomero
Copy link
Contributor

CamiRomero commented Jun 15, 2022
edited
Loading

Test on Solaris

Reproduce Test Case on 4.3.4

Package details

Test information

Wazuh version Wazuh revision Component Install type Install method Platform
4.3.4 40316 virustotal-scan Manager Packages CentOS-8
4.3.4 40316 virustotal-scan Agent Packages Solaris 11
Reproduce failure in Virus total integration - the test cases is not reproduce 🟢

  1. Edit the /var/ossec/etc/ossec.conf configuration on manager adding:

    <integration>
  <name>virustotal</name>
  <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>

  2. Edit the /var/ossec/etc/ossec.conf configuration on agent - Using FIM to monitor a directory:

    <directories check_all="yes">DIRECTORY_TO_MONITOR</directories>

  3. Modify the frequency that syscheck will be run

    <frequency>10</frequency>

  4. Restart the agent and manager in order to apply the changes

  5. Create a file with a name that does not contain UTF-8 characters in the folder under scanning.

    Example name: tésting.txt

  6. We can see the below log in /var/ossec/logs/integrations.log:

    Fri May 27 18:25:34 UTC 2022 /tmp/virustotal-1653675934--781090506.alert df80e208b8628e60266c375f95936c55bf11c5ccc1336e229ef406883cd6eb60   > /dev/null 2>&1

  7. We can see the below alert in /var/ossec/logs/alerts/alerts.log:

    ** Alert 1653675935.656592: - virustotal,
2022 May 27 18:25:35 (qasolaris) 10.0.2.15->virustotal
Rule: 87104 (level 3) -> 'VirusTotal: Alert - /export/home/vagrant/testing/tésting.txt - No positives found'
{"virustotal": {"found": 1, "malicious": 0, "source": {"alert_id": "1653675933.655887", "file": "/export/home/vagrant/testing/t\u00e9sting.txt", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709"}, "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "scan_date": "2022-06-15 18:33:38", "positives": 0, "total": 55, "permalink": "https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655318018"}, "integration": "virustotal"}
virustotal.found: 1
virustotal.malicious: 0
virustotal.source.alert_id: 1653675933.655887
virustotal.source.file: /export/home/vagrant/testing/tésting.txt
virustotal.source.md5: d41d8cd98f00b204e9800998ecf8427e
virustotal.source.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709
virustotal.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709
virustotal.scan_date: 2022-06-15 18:33:38
virustotal.positives: 0
virustotal.total: 55
virustotal.permalink: https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655318018
integration: virustotal

Note: We can note that the error does not occur in prod.

Reproduce Test Case on Branch 8199-virustotal-enconding

Package details

Test information

Wazuh version Wazuh revision Component Install type Install method Platform
4.4.0 40400 virustotal-scan Manager Packages CentOS-8
4.4.0 40400 virustotal-scan Agent Packages Solaris 11
Test Virus total integration 🟢

  1. Edit the /var/ossec/etc/ossec.conf configuration on manager adding:

    <integration>
  <name>virustotal</name>
  <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>

  2. Edit the /var/ossec/etc/ossec.conf configuration on agent - Using FIM to monitor a directory:

    <directories check_all="yes">DIRECTORY_TO_MONITOR</directories>

  3. Modify the frequency that syscheck will be run

    <frequency>10</frequency>

  4. Restart the agent and manager in order to apply the changes

  5. Create a file with a name that does not contain UTF-8 characters in the folder under scanning.

    Example name: tésting.txt

  6. We can see the below log in /var/ossec/logs/integrations.log:

    Wed Jun 15 15:49:57 UTC 2022 /tmp/virustotal-1655308196-1285637945.alert df80e208b8628e60266c375f95936c55bf11c5ccc1336e229ef406883cd6eb60   > /dev/null 2>&1

  7. We can see the below alert in /var/ossec/logs/alerts/alerts.log

    ** Alert 1655308197.654333: - virustotal,
2022 Jun 15 15:49:57 (qasolaris) FE80:0000:0000:0000:0A00:27FF:FE9E:B4BF->virustotal
Rule: 87104 (level 3) -> 'VirusTotal: Alert - /export/home/vagrant/testing/tésting.txt - No positives found'
{"virustotal": {"found": 1, "malicious": 0, "source": {"alert_id": "1655308196.653628", "file": "/export/home/vagrant/testing/t\u00e9sting.txt", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709"}, "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "scan_date": "2022-06-15 18:59:28", "positives": 0, "total": 55, "permalink": "https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655319568"}, "integration": "virustotal"}
virustotal.found: 1
virustotal.malicious: 0
virustotal.source.alert_id: 1655308196.653628
virustotal.source.file: /export/home/vagrant/testing/tésting.txt
virustotal.source.md5: d41d8cd98f00b204e9800998ecf8427e
virustotal.source.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709
virustotal.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709
virustotal.scan_date: 2022-06-15 18:59:28
virustotal.positives: 0
virustotal.total: 55
virustotal.permalink: https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655319568
integration: virustotal

@CamiRomero
Copy link
Contributor

CamiRomero commented Jun 15, 2022
edited
Loading

Test on macOS

Reproduce Test Case on 4.3.4

Package details

Test information

Wazuh version Wazuh revision Component Install type Install method Platform
4.3.4 40316 virustotal-scan Manager Packages CentOS-8
4.3.4 40316 virustotal-scan Agent Packages macOS
Reproduce failure in Virus total integration - the test cases is not reproduce 🟢

  1. Edit the /var/ossec/etc/ossec.conf configuration on manager adding:

    <integration>
  <name>virustotal</name>
  <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>

  2. Edit the /var/ossec/etc/ossec.conf configuration on agent - Using FIM to monitor a directory:

    <directories check_all="yes">DIRECTORY_TO_MONITOR</directories>

  3. Modify the frequency that syscheck will be run

    <frequency>10</frequency>

  4. Restart the agent and manager in order to apply the changes

  5. Create a file with a name that does not contain UTF-8 characters in the folder under scanning.

    Example name: tésting.txt

  6. We can see the below log in /var/ossec/logs/integrations.log:

    Wed Jun 15 19:19:58 UTC 2022 /tmp/virustotal-1655320798--1548716626.alert df80e208b8628e60266c375f95936c55bf11c5ccc1336e229ef406883cd6eb60   > /dev/null 2>&1

  7. We can see the below alert in /var/ossec/logs/alerts/alerts.log:

    ** Alert 1655320798.192725: - virustotal,
2022 Jun 15 19:19:58 (macos) 10.0.2.15->virustotal
Rule: 87104 (level 3) -> 'VirusTotal: Alert - /Users/vagrant/testing/tésting.txt - No positives found'
{"virustotal": {"found": 1, "malicious": 0, "source": {"alert_id": "1655320796.192026", "file": "/Users/vagrant/testing/t\u00e9sting.txt", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709"}, "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "scan_date": "2022-06-15 19:14:16", "positives": 0, "total": 55, "permalink": "https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655320456"}, "integration": "virustotal"}
virustotal.found: 1
virustotal.malicious: 0
virustotal.source.alert_id: 1655320796.192026
virustotal.source.file: /Users/vagrant/testing/tésting.txt
virustotal.source.md5: d41d8cd98f00b204e9800998ecf8427e
virustotal.source.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709
virustotal.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709
virustotal.scan_date: 2022-06-15 19:14:16
virustotal.positives: 0
virustotal.total: 55
virustotal.permalink: https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655320456
integration: virustotal

Note: We can note that the error does not occur in prod.

Reproduce Test Case on Branch 8199-virustotal-enconding

Package details

Test information

Wazuh version Wazuh revision Component Install type Install method Platform
4.4.0 40400 virustotal-scan Manager Packages CentOS-8
4.4.0 40400 virustotal-scan Agent Packages macOS
Test Virus total integration 🟢

  1. Edit the /var/ossec/etc/ossec.conf configuration on manager adding:

    <integration>
  <name>virustotal</name>
  <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>

  2. Edit the /var/ossec/etc/ossec.conf configuration on agent - Using FIM to monitor a directory:

    <directories check_all="yes">DIRECTORY_TO_MONITOR</directories>

  3. Modify the frequency that syscheck will be run

    <frequency>10</frequency>

  4. Restart the agent and manager in order to apply the changes

  5. Create a file with a name that does not contain UTF-8 characters in the folder under scanning.

    Example name: tésting.txt

  6. We can see the below log in /var/ossec/logs/integrations.log:

    Wed Jun 15 19:32:55 UTC 2022 /tmp/virustotal-1655321575-454371622.alert df80e208b8628e60266c375f95936c55bf11c5ccc1336e229ef406883cd6eb60   > /dev/null 2>&1

  7. We can see the below alert in /var/ossec/logs/alerts/alerts.log

    ** Alert 1655321576.697486: - virustotal,
2022 Jun 15 19:32:56 (macos) FE80:0000:0000:0000:18FF:C0F7:FF75:9752->virustotal
Rule: 87104 (level 3) -> 'VirusTotal: Alert - /Users/vagrant/testing/tésting.txt - No positives found'
{"virustotal": {"found": 1, "malicious": 0, "source": {"alert_id": "1655321574.696787", "file": "/Users/vagrant/testing/t\u00e9sting.txt", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709"}, "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "scan_date": "2022-06-15 19:30:47", "positives": 0, "total": 54, "permalink": "https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655321447"}, "integration": "virustotal"}
virustotal.found: 1
virustotal.malicious: 0
virustotal.source.alert_id: 1655321574.696787
virustotal.source.file: /Users/vagrant/testing/tésting.txt
virustotal.source.md5: d41d8cd98f00b204e9800998ecf8427e
virustotal.source.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709
virustotal.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709
virustotal.scan_date: 2022-06-15 19:30:47
virustotal.positives: 0
virustotal.total: 54
virustotal.permalink: https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655321447
integration: virustotal

@CamiRomero
Copy link
Contributor

CamiRomero commented Jun 15, 2022
edited
Loading

Test on Ubuntu

Reproduce Test Case on 4.3.4

Package details

Test information

Wazuh version Wazuh revision Component Install type Install method Platform
4.3.4 40316 virustotal-scan Manager Packages CentOS-8
4.3.4 40316 virustotal-scan Agent Packages Ubuntu 20.04
Reproduce failure in Virus total integration - the test cases is not reproduce 🟢

  1. Edit the /var/ossec/etc/ossec.conf configuration on manager adding:

    <integration>
  <name>virustotal</name>
  <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>

  2. Edit the /var/ossec/etc/ossec.conf configuration on agent - Using FIM to monitor a directory:

    <directories check_all="yes" realtime="yes">DIRECTORY_TO_MONITOR</directories>

  3. Restart the agent and manager in order to apply the changes

  4. Create a file with a name that does not contain UTF-8 characters in the folder under scanning.

    Example name: tésting.txt

  5. We can see the below log in /var/ossec/logs/integrations.log:

    Fri May 27 18:26:42 UTC 2022 /tmp/virustotal-1653676001-648679811.alert df80e208b8628e60266c375f95936c55bf11c5ccc1336e229ef406883cd6eb60   > /dev/null 2>&1

  6. We can see the below alert in /var/ossec/logs/alerts/alerts.log:

    ** Alert 1653676003.1046164: - virustotal,
2022 May 27 18:26:43 (ubuntu) 10.0.2.15->virustotal
Rule: 87104 (level 3) -> 'VirusTotal: Alert - /home/vagrant/testing/tésting.txt - No positives found'
{"virustotal": {"found": 1, "malicious": 0, "source": {"alert_id": "1653676000.1045467", "file": "/home/vagrant/testing/t\u00e9sting.txt", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709"}, "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "scan_date": "2022-06-15 20:24:24", "positives": 0, "total": 55, "permalink": "https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655324664"}, "integration": "virustotal"}
virustotal.found: 1
virustotal.malicious: 0
virustotal.source.alert_id: 1653676000.1045467
virustotal.source.file: /home/vagrant/testing/tésting.txt
virustotal.source.md5: d41d8cd98f00b204e9800998ecf8427e
virustotal.source.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709
virustotal.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709
virustotal.scan_date: 2022-06-15 20:24:24
virustotal.positives: 0
virustotal.total: 55
virustotal.permalink: https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655324664
integration: virustotal

Note: We can note that the error does not occur in prod.

Reproduce Test Case on Branch 8199-virustotal-enconding

Package details

Test information

Wazuh version Wazuh revision Component Install type Install method Platform
4.4.0 40400 virustotal-scan Manager Packages CentOS-8
4.4.0 40400 virustotal-scan Agent Packages Ubuntu 20.04
Test Virus total integration 🟢

  1. Edit the /var/ossec/etc/ossec.conf configuration on manager adding:

    <integration>
  <name>virustotal</name>
  <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>

  2. Edit the /var/ossec/etc/ossec.conf configuration on agent - Using FIM to monitor a directory:

    <directories check_all="yes" realtime="yes">DIRECTORY_TO_MONITOR</directories>

  3. Restart the agent and manager in order to apply the changes

  4. Create a file with name that does not contain utf-8 characters in the folder under scanning.

    Example name: tésting.txt

  5. We can see the below log in /var/ossec/logs/integrations.log:

    Wed Jun 15 19:32:55 UTC 2022 /tmp/virustotal-1655321575-454371622.alert df80e208b8628e60266c375f95936c55bf11c5ccc1336e229ef406883cd6eb60   > /dev/null 2>&1

  6. We can see the below alert in /var/ossec/logs/alerts/alerts.log

    ** Alert 1655326348.1045134: - virustotal,
2022 Jun 15 20:52:28 (ubuntu) FE80:0000:0000:0000:0A00:27FF:FE6F:A26E->virustotal
Rule: 87104 (level 3) -> 'VirusTotal: Alert - /home/vagrant/testing/tésting.txt - No positives found'
{"virustotal": {"found": 1, "malicious": 0, "source": {"alert_id": "1655326346.1044437", "file": "/home/vagrant/testing/t\u00e9sting.txt", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709"}, "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "scan_date": "2022-06-15 20:49:40", "positives": 0, "total": 55, "permalink": "https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655326180"}, "integration": "virustotal"}
virustotal.found: 1
virustotal.malicious: 0
virustotal.source.alert_id: 1655326346.1044437
virustotal.source.file: /home/vagrant/testing/tésting.txt
virustotal.source.md5: d41d8cd98f00b204e9800998ecf8427e
virustotal.source.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709
virustotal.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709
virustotal.scan_date: 2022-06-15 20:49:40
virustotal.positives: 0
virustotal.total: 55
virustotal.permalink: https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655326180
integration: virustotal

@CamiRomero
Copy link
Contributor

CamiRomero commented Jun 16, 2022
edited
Loading

4.3.4 to 4.4.0: Upgrade the Wazuh Manager and test Virus total integration.

Package details

Test information

Wazuh version Wazuh revision Component Install type Install method Platform
4.3.4 to 4.4.0 40316 virustotal-scan Manager Packages CentOS-8
4.3.4 40316 virustotal-scan Agent Packages Windows
Reproduce failure in Virus total integration 🟢

  1. Check the current version:

    /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.3.4"
WAZUH_REVISION="40316"
WAZUH_TYPE="server"

  2. Downloaded package 4.4.0:

    curl -LO https://packages-dev.wazuh.com/warehouse/pullrequests/4.4/rpm/var/wazuh-manager-4.4.0-0.commitd923cdb.x86_64.rpm

  3. Upgrade the Wazuh manager:

    yum upgrade wazuh-manager-4.4.0-0.commitd923cdb.x86_64.rpm

  4. Check the current version:

    /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.4.0"
WAZUH_REVISION="40400"
WAZUH_TYPE="server"

  5. Edit the /var/ossec/etc/ossec.conf configuration on manager adding:

    <integration>
  <name>virustotal</name>
  <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>

  6. Edit the C:\Program Files (x86)\ossec-agent\ossec.conf configuration on agent - Using FIM to monitor a directory:

    <directories check_all="yes" realtime="yes">DIRECTORY_TO_MONITOR</directories>

  7. Restart the agent and manager in order to apply the changes

  8. Create a file with a name that does not contain UTF-8 characters in the folder under scanning.

    Example name: tésting.txt

  9. We can see the below log in /var/ossec/logs/integrations.log:

    Thu Jun 16 14:50:46 UTC 2022 /tmp/virustotal-1655391046--927452612.alert df80e208b8628e60266c375f95936c55bf11c5ccc1336e229ef406883cd6eb60   > /dev/null 2>&1

  10. We can see the below alert in /var/ossec/logs/alerts/alerts.log

    ** Alert 1655391047.1374999: - virustotal,
2022 Jun 16 14:50:47 (WIN-JLGVA4CR4VI) 10.0.2.15->virustotal
Rule: 87104 (level 3) -> 'VirusTotal: Alert - c:\users\vagrant\desktop\testing\tsting.txt - No positives found'
{"virustotal": {"found": 1, "malicious": 0, "source": {"alert_id": "1655391045.1373742", "file": "c:\\users\\vagrant\\desktop\\testing\\tsting.txt", "md5": "7215ee9c7d9dc229d2921a40e899ec5f", "sha1": "b858cb282617fb0956d960215c8e84d1ccf909c6"}, "sha1": "b858cb282617fb0956d960215c8e84d1ccf909c6", "scan_date": "2022-06-14 12:10:08", "positives": 0, "total": 56, "permalink": "https://www.virustotal.com/gui/file/36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068/detection/f-36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068-1655208608"}, "integration": "virustotal"}
virustotal.found: 1
virustotal.malicious: 0
virustotal.source.alert_id: 1655391045.1373742
virustotal.source.file: c:\users\vagrant\desktop\testing\tsting.txt
virustotal.source.md5: 7215ee9c7d9dc229d2921a40e899ec5f
virustotal.source.sha1: b858cb282617fb0956d960215c8e84d1ccf909c6
virustotal.sha1: b858cb282617fb0956d960215c8e84d1ccf909c6
virustotal.scan_date: 2022-06-14 12:10:08
virustotal.positives: 0
virustotal.total: 56
virustotal.permalink: https://www.virustotal.com/gui/file/36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068/detection/f-36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068-1655208608
integration: virustotal

Note: Please note that the alert suppress character with non utf-8 - Reported in Issue
'VirusTotal: Alert - c:\users\vagrant\desktop\testing\tsting.txt - No positives found'

@jmv74211 jmv74211 mentioned this issue Jun 21, 2022
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@CamiRomero CamiRomero

Labels
dev-testing feature/fim
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@damarisg @FrancoRivero @jmv74211 @chemamartinez @CamiRomero