Include a yara.sh
active response script to detect malicious files in Linux/Unix endpoints out-of-the-box using YARA
#16637
Labels
feed/active response
Active response scripts (not the module)
level/task
module/active response
type/enhancement/usability
Description
This issue aims to have a unified
yara.sh
script that can be used to detect a malicious file on Linux/Unix endpoints. This out-of-the-box script will remove the need for users to write their own scripts to detect malicious files which may not be very effective for a wide range of events.Sample script
This is a sample of a
yara.sh
script that can be improved and included out-of-the-box.Expected configuration
On the Wazuh server, configure the
yara.sh
active response script to be executed when specific rule IDs, rule groups or rule levels are triggered.Reference: Using the YARA integration and FIM
Expected execution flow
The steps for the execution of this active response script
yara.sh
will be:Detection alert samples
Expected outcome: The file is deleted
/home/user/script.sh
.Fields of interest:
data.file_path
.Alert generation guide: [Using the YARA integration and FIM](https://documentation.wazuh.com/current/proof-of-concept-guide/detect-malware-yara-integration.html)
General notes
The text was updated successfully, but these errors were encountered: