-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Manual testing - Virus total integration #2970
Comments
4.3.4: Reproduce failure to Virus total integration.Package detailsTest information
Reproduce failure in Virus total integration 🟢
|
4.4.0: Test Virus total integrationPackage detailsTest information
Test Virus total integration 🔴
Open an Issue in Wazuh/Wazuh |
4.3.4 to 4.4.0: Upgrade the Wazuh Manager and test Virus total integrationThis test will be run when Issue is solved |
Test on WindowsReproduce Test Case on
|
Wazuh version | Wazuh revision | Component | Install type | Install method | Platform |
---|---|---|---|---|---|
4.3.4 | 40316 | virustotal-scan | Manager | Packages | CentOS-8 |
4.3.4 | 40316 | virustotal-scan | Agent | Packages | Windows |
Reproduce failure in Virus total integration 🟢
-
Edit the
/var/ossec/etc/ossec.conf
configuration on manager adding:<integration> <name>virustotal</name> <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key --> <group>syscheck</group> <alert_format>json</alert_format> </integration>
-
Edit the
C:\Program Files (x86)\ossec-agent\ossec.conf
configuration on agent - Using FIM to monitor a directory:<directories check_all="yes" realtime="yes">DIRECTORY_TO_MONITOR</directories>
-
Restart the agent and manager in order to apply the changes
-
Create a file with a name that does not contain UTF-8 characters in the folder under scanning.
Example name: tésting.txt
-
We can see the below error in ossec.log:
2022/06/15 15:20:39 rootcheck: INFO: Ending rootcheck scan. 2022/06/15 15:21:06 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations 2022/06/15 15:21:06 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: UnicodeDecodeError: 'utf-8' codec can't decode byte 0xe9 in position 569: invalid continuation byte 2022/06/15 15:21:06 wazuh-integratord: ERROR: Exit status was: 1
Reproduce Test Case on Branch 8199-virustotal-enconding
Package details
Test information
Wazuh version | Wazuh revision | Component | Install type | Install method | Platform |
---|---|---|---|---|---|
4.4.0 | 40400 | virustotal-scan | Manager | Packages | CentOS-8 |
4.4.0 | 40400 | virustotal-scan | Agent | Packages | Windows |
Test Virus total integration 🟢
-
Edit the
/var/ossec/etc/ossec.conf
configuration on manager adding:<integration> <name>virustotal</name> <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key --> <group>syscheck</group> <alert_format>json</alert_format> </integration>
-
Edit the
C:\Program Files (x86)\ossec-agent\ossec.conf
configuration on agent - Using FIM to monitor a directory:<directories check_all="yes" realtime="yes">DIRECTORY_TO_MONITOR</directories>
-
Restart the agent and manager in order to apply the changes
-
Create a file with a name that does not contain UTF-8 characters in the folder under scanning.
Example name: tésting.txt
-
We can see the below log in
/var/ossec/logs/integrations.log
:Wed Jun 15 15:50:18 UTC 2022 /tmp/virustotal-1655308218--1043570507.alert df80e208b8628e60266c375f95936c55bf11c5ccc1336e229ef406883cd6eb60 > /dev/null 2>&1
-
We can see the below alert in
/var/ossec/logs/alerts/alerts.log
** Alert 1655308563.1857299: - virustotal, 2022 Jun 15 15:56:03 (WIN-JLGVA4CR4VI) FE80:0000:0000:0000:B1E6:42AF:E199:1398->virustotal Rule: 87104 (level 3) -> 'VirusTotal: Alert - c:\users\vagrant\desktop\testing\tsting.txt - No positives found' {"virustotal": {"found": 1, "malicious": 0, "source": {"alert_id": "1655308562.1856042", "file": "c:\\users\\vagrant\\desktop\\testing\\tsting.txt", "md5": "7215ee9c7d9dc229d2921a40e899ec5f", "sha1": "b858cb282617fb0956d960215c8e84d1ccf909c6"}, "sha1": "b858cb282617fb0956d960215c8e84d1ccf909c6", "scan_date": "2022-06-14 12:10:08", "positives": 0, "total": 56, "permalink": "https://www.virustotal.com/gui/file/36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068/detection/f-36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068-1655208608"}, "integration": "virustotal"} virustotal.found: 1 virustotal.malicious: 0 virustotal.source.alert_id: 1655308562.1856042 virustotal.source.file: c:\users\vagrant\desktop\testing\tsting.txt virustotal.source.md5: 7215ee9c7d9dc229d2921a40e899ec5f virustotal.source.sha1: b858cb282617fb0956d960215c8e84d1ccf909c6 virustotal.sha1: b858cb282617fb0956d960215c8e84d1ccf909c6 virustotal.scan_date: 2022-06-14 12:10:08 virustotal.positives: 0 virustotal.total: 56 virustotal.permalink: https://www.virustotal.com/gui/file/36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068/detection/f-36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068-1655208608 integration: virustotal
Note: Please note that the alert suppress character with non UTF-8 - Reported in Issue
'VirusTotal: Alert - c:\users\vagrant\desktop\testing\tsting.txt - No positives found'
Test on CentOSReproduce Test Case on
|
Wazuh version | Wazuh revision | Component | Install type | Install method | Platform |
---|---|---|---|---|---|
4.3.4 | 40316 | virustotal-scan | Manager | Packages | CentOS-8 |
4.3.4 | 40316 | virustotal-scan | Agent | Packages | CentOS-8 |
Reproduce failure in Virus total integration - the test cases is not reproduce 🟢
-
Edit the /var/ossec/etc/ossec.conf configuration on manager adding:
<integration> <name>virustotal</name> <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key --> <group>syscheck</group> <alert_format>json</alert_format> </integration>
-
Edit the /var/ossec/etc/ossec.conf configuration on agent - Using FIM to monitor a directory:
<directories check_all="yes" realtime="yes">DIRECTORY_TO_MONITOR</directories>
-
Restart the agent and manager in order to apply the changes
-
Create a file with name that does not contain utf-8 characters in the folder under scanning.
Example name: tésting.txt
-
We can see the below log in
/var/ossec/logs/integrations.log
:Fri May 27 18:29:51 UTC 2022 /tmp/virustotal-1653676191-1531012688.alert df80e208b8628e60266c375f95936c55bf11c5ccc1336e229ef406883cd6eb60 > /dev/null 2>&1
-
We can see the below alert in
/var/ossec/logs/alerts/alerts.log
:virustotal.source.file: /home/vagrant/testing/tésting.txt virustotal.source.md5: d41d8cd98f00b204e9800998ecf8427e virustotal.source.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 virustotal.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 virustotal.scan_date: 2022-06-15 16:59:08 virustotal.positives: 0 virustotal.total: 55 virustotal.permalink: https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655312348 integration: virustotal
Note: We can note that the error does not occur in prod.
Reproduce Test Case on Branch 8199-virustotal-enconding
Package details
Test information
Wazuh version | Wazuh revision | Component | Install type | Install method | Platform |
---|---|---|---|---|---|
4.4.0 | 40400 | virustotal-scan | Manager | Packages | CentOS-8 |
4.4.0 | 40400 | virustotal-scan | Agent | Packages | CentOS-8 |
Test Virus total integration 🟢
-
Edit the /var/ossec/etc/ossec.conf configuration on manager adding:
<integration> <name>virustotal</name> <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key --> <group>syscheck</group> <alert_format>json</alert_format> </integration>
-
Edit the /var/ossec/etc/ossec.conf configuration on agent - Using FIM to monitor a directory:
<directories check_all="yes" realtime="yes">DIRECTORY_TO_MONITOR</directories>
-
Restart the agent and manager in order to apply the changes
-
Create a file with name that does not contain utf-8 characters in the folder under scanning.
Example name: tésting.txt
-
We can see the below log in
/var/ossec/logs/integrations.log
:Wed Jun 15 15:49:21 UTC 2022 /tmp/virustotal-1655308161-1785722622.alert df80e208b8628e60266c375f95936c55bf11c5ccc1336e229ef406883cd6eb60 > /dev/null 2>&1
-
We can see the below alert in
/var/ossec/logs/alerts/alerts.log
** virustotal.source.file: /home/vagrant/testing/tésting.txt virustotal.source.md5: d41d8cd98f00b204e9800998ecf8427e virustotal.source.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 virustotal.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 virustotal.scan_date: 2022-06-15 17:12:49 virustotal.positives: 0 virustotal.total: 55 virustotal.permalink: https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655313169 integration: virustotal
Test on SolarisReproduce Test Case on
|
Wazuh version | Wazuh revision | Component | Install type | Install method | Platform |
---|---|---|---|---|---|
4.3.4 | 40316 | virustotal-scan | Manager | Packages | CentOS-8 |
4.3.4 | 40316 | virustotal-scan | Agent | Packages | Solaris 11 |
Reproduce failure in Virus total integration - the test cases is not reproduce 🟢
-
Edit the
/var/ossec/etc/ossec.conf
configuration on manager adding:<integration> <name>virustotal</name> <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key --> <group>syscheck</group> <alert_format>json</alert_format> </integration>
-
Edit the
/var/ossec/etc/ossec.conf
configuration on agent - Using FIM to monitor a directory:<directories check_all="yes">DIRECTORY_TO_MONITOR</directories>
-
Modify the frequency that
syscheck
will be run<frequency>10</frequency>
-
Restart the agent and manager in order to apply the changes
-
Create a file with a name that does not contain UTF-8 characters in the folder under scanning.
Example name: tésting.txt
-
We can see the below log in
/var/ossec/logs/integrations.log
:Fri May 27 18:25:34 UTC 2022 /tmp/virustotal-1653675934--781090506.alert df80e208b8628e60266c375f95936c55bf11c5ccc1336e229ef406883cd6eb60 > /dev/null 2>&1
-
We can see the below alert in
/var/ossec/logs/alerts/alerts.log
:** Alert 1653675935.656592: - virustotal, 2022 May 27 18:25:35 (qasolaris) 10.0.2.15->virustotal Rule: 87104 (level 3) -> 'VirusTotal: Alert - /export/home/vagrant/testing/tésting.txt - No positives found' {"virustotal": {"found": 1, "malicious": 0, "source": {"alert_id": "1653675933.655887", "file": "/export/home/vagrant/testing/t\u00e9sting.txt", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709"}, "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "scan_date": "2022-06-15 18:33:38", "positives": 0, "total": 55, "permalink": "https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655318018"}, "integration": "virustotal"} virustotal.found: 1 virustotal.malicious: 0 virustotal.source.alert_id: 1653675933.655887 virustotal.source.file: /export/home/vagrant/testing/tésting.txt virustotal.source.md5: d41d8cd98f00b204e9800998ecf8427e virustotal.source.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 virustotal.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 virustotal.scan_date: 2022-06-15 18:33:38 virustotal.positives: 0 virustotal.total: 55 virustotal.permalink: https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655318018 integration: virustotal
Note: We can note that the error does not occur in prod.
Reproduce Test Case on Branch 8199-virustotal-enconding
Package details
Test information
Wazuh version | Wazuh revision | Component | Install type | Install method | Platform |
---|---|---|---|---|---|
4.4.0 | 40400 | virustotal-scan | Manager | Packages | CentOS-8 |
4.4.0 | 40400 | virustotal-scan | Agent | Packages | Solaris 11 |
Test Virus total integration 🟢
-
Edit the
/var/ossec/etc/ossec.conf
configuration on manager adding:<integration> <name>virustotal</name> <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key --> <group>syscheck</group> <alert_format>json</alert_format> </integration>
-
Edit the
/var/ossec/etc/ossec.conf
configuration on agent - Using FIM to monitor a directory:<directories check_all="yes">DIRECTORY_TO_MONITOR</directories>
-
Modify the frequency that
syscheck
will be run<frequency>10</frequency>
-
Restart the agent and manager in order to apply the changes
-
Create a file with a name that does not contain UTF-8 characters in the folder under scanning.
Example name: tésting.txt
-
We can see the below log in
/var/ossec/logs/integrations.log
:Wed Jun 15 15:49:57 UTC 2022 /tmp/virustotal-1655308196-1285637945.alert df80e208b8628e60266c375f95936c55bf11c5ccc1336e229ef406883cd6eb60 > /dev/null 2>&1
-
We can see the below alert in
/var/ossec/logs/alerts/alerts.log
** Alert 1655308197.654333: - virustotal, 2022 Jun 15 15:49:57 (qasolaris) FE80:0000:0000:0000:0A00:27FF:FE9E:B4BF->virustotal Rule: 87104 (level 3) -> 'VirusTotal: Alert - /export/home/vagrant/testing/tésting.txt - No positives found' {"virustotal": {"found": 1, "malicious": 0, "source": {"alert_id": "1655308196.653628", "file": "/export/home/vagrant/testing/t\u00e9sting.txt", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709"}, "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "scan_date": "2022-06-15 18:59:28", "positives": 0, "total": 55, "permalink": "https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655319568"}, "integration": "virustotal"} virustotal.found: 1 virustotal.malicious: 0 virustotal.source.alert_id: 1655308196.653628 virustotal.source.file: /export/home/vagrant/testing/tésting.txt virustotal.source.md5: d41d8cd98f00b204e9800998ecf8427e virustotal.source.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 virustotal.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 virustotal.scan_date: 2022-06-15 18:59:28 virustotal.positives: 0 virustotal.total: 55 virustotal.permalink: https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655319568 integration: virustotal
Test on macOSReproduce Test Case on
|
Wazuh version | Wazuh revision | Component | Install type | Install method | Platform |
---|---|---|---|---|---|
4.3.4 | 40316 | virustotal-scan | Manager | Packages | CentOS-8 |
4.3.4 | 40316 | virustotal-scan | Agent | Packages | macOS |
Reproduce failure in Virus total integration - the test cases is not reproduce 🟢
-
Edit the
/var/ossec/etc/ossec.conf
configuration on manager adding:<integration> <name>virustotal</name> <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key --> <group>syscheck</group> <alert_format>json</alert_format> </integration>
-
Edit the
/var/ossec/etc/ossec.conf
configuration on agent - Using FIM to monitor a directory:<directories check_all="yes">DIRECTORY_TO_MONITOR</directories>
-
Modify the frequency that
syscheck
will be run<frequency>10</frequency>
-
Restart the agent and manager in order to apply the changes
-
Create a file with a name that does not contain UTF-8 characters in the folder under scanning.
Example name: tésting.txt
-
We can see the below log in
/var/ossec/logs/integrations.log
:Wed Jun 15 19:19:58 UTC 2022 /tmp/virustotal-1655320798--1548716626.alert df80e208b8628e60266c375f95936c55bf11c5ccc1336e229ef406883cd6eb60 > /dev/null 2>&1
-
We can see the below alert in
/var/ossec/logs/alerts/alerts.log
:** Alert 1655320798.192725: - virustotal, 2022 Jun 15 19:19:58 (macos) 10.0.2.15->virustotal Rule: 87104 (level 3) -> 'VirusTotal: Alert - /Users/vagrant/testing/tésting.txt - No positives found' {"virustotal": {"found": 1, "malicious": 0, "source": {"alert_id": "1655320796.192026", "file": "/Users/vagrant/testing/t\u00e9sting.txt", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709"}, "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "scan_date": "2022-06-15 19:14:16", "positives": 0, "total": 55, "permalink": "https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655320456"}, "integration": "virustotal"} virustotal.found: 1 virustotal.malicious: 0 virustotal.source.alert_id: 1655320796.192026 virustotal.source.file: /Users/vagrant/testing/tésting.txt virustotal.source.md5: d41d8cd98f00b204e9800998ecf8427e virustotal.source.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 virustotal.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 virustotal.scan_date: 2022-06-15 19:14:16 virustotal.positives: 0 virustotal.total: 55 virustotal.permalink: https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655320456 integration: virustotal
Note: We can note that the error does not occur in prod.
Reproduce Test Case on Branch 8199-virustotal-enconding
Package details
Test information
Wazuh version | Wazuh revision | Component | Install type | Install method | Platform |
---|---|---|---|---|---|
4.4.0 | 40400 | virustotal-scan | Manager | Packages | CentOS-8 |
4.4.0 | 40400 | virustotal-scan | Agent | Packages | macOS |
Test Virus total integration 🟢
-
Edit the
/var/ossec/etc/ossec.conf
configuration on manager adding:<integration> <name>virustotal</name> <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key --> <group>syscheck</group> <alert_format>json</alert_format> </integration>
-
Edit the
/var/ossec/etc/ossec.conf
configuration on agent - Using FIM to monitor a directory:<directories check_all="yes">DIRECTORY_TO_MONITOR</directories>
-
Modify the frequency that
syscheck
will be run<frequency>10</frequency>
-
Restart the agent and manager in order to apply the changes
-
Create a file with a name that does not contain UTF-8 characters in the folder under scanning.
Example name: tésting.txt
-
We can see the below log in
/var/ossec/logs/integrations.log
:Wed Jun 15 19:32:55 UTC 2022 /tmp/virustotal-1655321575-454371622.alert df80e208b8628e60266c375f95936c55bf11c5ccc1336e229ef406883cd6eb60 > /dev/null 2>&1
-
We can see the below alert in
/var/ossec/logs/alerts/alerts.log
** Alert 1655321576.697486: - virustotal, 2022 Jun 15 19:32:56 (macos) FE80:0000:0000:0000:18FF:C0F7:FF75:9752->virustotal Rule: 87104 (level 3) -> 'VirusTotal: Alert - /Users/vagrant/testing/tésting.txt - No positives found' {"virustotal": {"found": 1, "malicious": 0, "source": {"alert_id": "1655321574.696787", "file": "/Users/vagrant/testing/t\u00e9sting.txt", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709"}, "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "scan_date": "2022-06-15 19:30:47", "positives": 0, "total": 54, "permalink": "https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655321447"}, "integration": "virustotal"} virustotal.found: 1 virustotal.malicious: 0 virustotal.source.alert_id: 1655321574.696787 virustotal.source.file: /Users/vagrant/testing/tésting.txt virustotal.source.md5: d41d8cd98f00b204e9800998ecf8427e virustotal.source.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 virustotal.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 virustotal.scan_date: 2022-06-15 19:30:47 virustotal.positives: 0 virustotal.total: 54 virustotal.permalink: https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655321447 integration: virustotal
Test on UbuntuReproduce Test Case on
|
Wazuh version | Wazuh revision | Component | Install type | Install method | Platform |
---|---|---|---|---|---|
4.3.4 | 40316 | virustotal-scan | Manager | Packages | CentOS-8 |
4.3.4 | 40316 | virustotal-scan | Agent | Packages | Ubuntu 20.04 |
Reproduce failure in Virus total integration - the test cases is not reproduce 🟢
-
Edit the
/var/ossec/etc/ossec.conf
configuration on manager adding:<integration> <name>virustotal</name> <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key --> <group>syscheck</group> <alert_format>json</alert_format> </integration>
-
Edit the
/var/ossec/etc/ossec.conf
configuration on agent - Using FIM to monitor a directory:<directories check_all="yes" realtime="yes">DIRECTORY_TO_MONITOR</directories>
-
Restart the agent and manager in order to apply the changes
-
Create a file with a name that does not contain UTF-8 characters in the folder under scanning.
Example name: tésting.txt
-
We can see the below log in
/var/ossec/logs/integrations.log
:Fri May 27 18:26:42 UTC 2022 /tmp/virustotal-1653676001-648679811.alert df80e208b8628e60266c375f95936c55bf11c5ccc1336e229ef406883cd6eb60 > /dev/null 2>&1
-
We can see the below alert in
/var/ossec/logs/alerts/alerts.log
:** Alert 1653676003.1046164: - virustotal, 2022 May 27 18:26:43 (ubuntu) 10.0.2.15->virustotal Rule: 87104 (level 3) -> 'VirusTotal: Alert - /home/vagrant/testing/tésting.txt - No positives found' {"virustotal": {"found": 1, "malicious": 0, "source": {"alert_id": "1653676000.1045467", "file": "/home/vagrant/testing/t\u00e9sting.txt", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709"}, "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "scan_date": "2022-06-15 20:24:24", "positives": 0, "total": 55, "permalink": "https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655324664"}, "integration": "virustotal"} virustotal.found: 1 virustotal.malicious: 0 virustotal.source.alert_id: 1653676000.1045467 virustotal.source.file: /home/vagrant/testing/tésting.txt virustotal.source.md5: d41d8cd98f00b204e9800998ecf8427e virustotal.source.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 virustotal.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 virustotal.scan_date: 2022-06-15 20:24:24 virustotal.positives: 0 virustotal.total: 55 virustotal.permalink: https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655324664 integration: virustotal
Note: We can note that the error does not occur in prod.
Reproduce Test Case on Branch 8199-virustotal-enconding
Package details
Test information
Wazuh version | Wazuh revision | Component | Install type | Install method | Platform |
---|---|---|---|---|---|
4.4.0 | 40400 | virustotal-scan | Manager | Packages | CentOS-8 |
4.4.0 | 40400 | virustotal-scan | Agent | Packages | Ubuntu 20.04 |
Test Virus total integration 🟢
-
Edit the
/var/ossec/etc/ossec.conf
configuration on manager adding:<integration> <name>virustotal</name> <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key --> <group>syscheck</group> <alert_format>json</alert_format> </integration>
-
Edit the
/var/ossec/etc/ossec.conf
configuration on agent - Using FIM to monitor a directory:<directories check_all="yes" realtime="yes">DIRECTORY_TO_MONITOR</directories>
-
Restart the agent and manager in order to apply the changes
-
Create a file with name that does not contain utf-8 characters in the folder under scanning.
Example name: tésting.txt
-
We can see the below log in
/var/ossec/logs/integrations.log
:Wed Jun 15 19:32:55 UTC 2022 /tmp/virustotal-1655321575-454371622.alert df80e208b8628e60266c375f95936c55bf11c5ccc1336e229ef406883cd6eb60 > /dev/null 2>&1
-
We can see the below alert in
/var/ossec/logs/alerts/alerts.log
** Alert 1655326348.1045134: - virustotal, 2022 Jun 15 20:52:28 (ubuntu) FE80:0000:0000:0000:0A00:27FF:FE6F:A26E->virustotal Rule: 87104 (level 3) -> 'VirusTotal: Alert - /home/vagrant/testing/tésting.txt - No positives found' {"virustotal": {"found": 1, "malicious": 0, "source": {"alert_id": "1655326346.1044437", "file": "/home/vagrant/testing/t\u00e9sting.txt", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709"}, "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "scan_date": "2022-06-15 20:49:40", "positives": 0, "total": 55, "permalink": "https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655326180"}, "integration": "virustotal"} virustotal.found: 1 virustotal.malicious: 0 virustotal.source.alert_id: 1655326346.1044437 virustotal.source.file: /home/vagrant/testing/tésting.txt virustotal.source.md5: d41d8cd98f00b204e9800998ecf8427e virustotal.source.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 virustotal.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 virustotal.scan_date: 2022-06-15 20:49:40 virustotal.positives: 0 virustotal.total: 55 virustotal.permalink: https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1655326180 integration: virustotal
4.3.4 to 4.4.0: Upgrade the Wazuh Manager and test Virus total integration.Package detailsTest information
Reproduce failure in Virus total integration 🟢
Note: Please note that the alert suppress character with non utf-8 - Reported in Issue |
Description
This issue aims to perform manual tests on the fix applied to the virustotal integration with Wazuh. As described in the related issue, now when reading a generated alert it will be read using utf-16 and if it could not be encoded it will be skipped and read the same to detect all character types.
Test cases
The main test case is described in the pull request description ( wazuh/wazuh#13531). Set the FIM module in real time mode and configure the integration of virustotal in the manager.
The text was updated successfully, but these errors were encountered: