Integrate Wazuh with Yara failed

Question

I configured agent.conf with the following:

 <agent_config>
    <!-- File integrity monitoring -->
    <syscheck>
        <disabled>no</disabled>
        <!-- Frequency that syscheck is executed default every 12 hours -->
        <frequency>60</frequency>
        <scan_on_start>yes</scan_on_start>
        <!-- Directories to check  (perform all possible verifications) -->
        <directories>/etc,/usr/bin,/usr/sbin</directories>
        <directories>/bin,/sbin,/boot</directories>
        <directories check_all="yes" realtime="yes">/home</directories>
        <directories check_all="yes" realtime="yes">/root</directories>
        <alert_new_files>yes</alert_new_files>
        <!-- Files/directories to ignore -->
        <ignore>/etc/mtab</ignore>
        <ignore>/etc/hosts.deny</ignore>
        <ignore>/etc/mail/statistics</ignore>
        <ignore>/etc/random-seed</ignore>
        <ignore>/etc/random.seed</ignore>
        <ignore>/etc/adjtime</ignore>
        <ignore>/etc/httpd/logs</ignore>
        <ignore>/etc/utmpx</ignore>
        <ignore>/etc/wtmpx</ignore>
        <ignore>/etc/cups/certs</ignore>
        <ignore>/etc/dumpdates</ignore>
        <ignore>/etc/svc/volatile</ignore>
        <!-- File types to ignore -->
        <ignore type="sregex">.log$|.swp$</ignore>
        <!-- Check the file, but never compute the diff -->
        <nodiff>/etc/ssl/private.key</nodiff>
        <skip_nfs>yes</skip_nfs>
        <skip_dev>yes</skip_dev>
        <skip_proc>yes</skip_proc>
        <skip_sys>yes</skip_sys>
        <!-- Nice value for Syscheck process -->
        <process_priority>10</process_priority>
        <!-- Maximum output throughput -->
        <max_eps>100</max_eps>
        <!-- Database synchronization settings -->
        <synchronization>
            <enabled>yes</enabled>
            <interval>5m</interval>
            <max_interval>1h</max_interval>
            <max_eps>10</max_eps>
        </synchronization>
    </syscheck>
    <command>
        <name>yara</name>
        <executable>yara</executable>
        <extra-args>-yara_path /usr/local/bin -yara_rules /tmp/yara/rules/index.yar</extra-args>
        <timeout_allowed>no</timeout_allowed>
    </command>
    <active-response>
        <command>yara</command>
        <location>local</location>
        <rules_id>550,554</rules_id>
    </active-response>
</agent_config>

Yara is working if I run it manually via cmd. FIM did detect the newly downloaded malicious file but the Wazuh active response is not working. There is no log found in active-response.log.

Here below is the yara.sh stored in /var/ossec/active-response/bin folder:

#!/bin/bash
# Wazuh - Yara active response
# Copyright (C) 2015-2022, Wazuh Inc.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
#------------------------- Gather parameters -------------------------#

# Static active response parameters
LOCAL=`dirname $0`

# Extra arguments
read -r INPUT_JSON
YARA_PATH=$(echo $INPUT_JSON | jg -r .parameters.extra_args[1])
YARA_RULES=$(echo $INPUT_JSON | jg -r .parameters.extra_args[3])
FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.syscheck.path)
COMMAND=$(echo $INPUT_JSON | jq -r .command)

# Move to the active response folder
cd $LOCAL
cd ../

# Set LOG_FILE path
PWD=`pwd`
LOG_FILE="${PWD}/../logs/active-responses.log"

#----------------------- Analyze parameters -----------------------#

if [[ ! $YARA_PATH ]] || [[ ! $YARA_RULES ]]
then
  echo "wazuh-yara: ERROR - Yara active response error. Yara path and rules parameters are mandatory." >> ${LOG_FILE}
  exit
fi

#------------------------ Analyze command -------------------------#
if [ ${COMMAND} = "add" ]
then
  # Send control message to execd
  printf '{"version":1,"origin":{"name":"yara","module":"active-response"},"command":"check_keys", "parameters":{"keys":[]}}\n'

  read RESPONSE
  COMMAND2=$(echo $RESPONSE | jq -r .command)
  if [ ${COMMAND2} != "continue" ]
  then
    echo "wazuh-yara: INFO - Yara active response aborted." >> ${LOG_FILE}
    exit 1;
  fi
fi

#------------------------- Main workflow --------------------------#

# Execute Yara scan on the specified filename
yara_output="$("${YARA_PATH}"/yara -w -r "$YARA_RULES" "$FILENAME")"

if [[ $yara_output != "" ]]
then
  # Iterate every detected rule and append it to the LOG_FILE
  while read -r line; do
  echo "wazuh-yara: INFO - Scan result: $line" >> ${LOG_FILE}
  done <<< "$yara_output"
fi

exit 1;

Is there anything I missed out to configure?

Answer 1

The active-response and the command configuration blocks cannot be in the agent.conf file as both configurations are part of the manager and therefore, they must be in the manager's ossec.conf. Apart from this change, you also need to modify the executable name as it must include the file extension (.sh).

<command>
    <name>yara</name>
    <executable>yara.sh</executable>
    <extra-args>-yara_path /usr/local/bin -yara_rules /tmp/yara/rules/index.yar</extra-args>
    <timeout_allowed>no</timeout_allowed>
</command>
<active-response>
    <command>yara</command>
    <location>local</location>
    <rules_id>550,554</rules_id>
</active-response>

Also, note that the yara.sh script must be in all the agents where you want to perform the Yara integration (in the agents' /var/ossec/active-response/bin folder).

Check that the file ownership and permissions are the proper ones, 750 and root:wazuh, respectively. jq also needs to be installed in all the agents.

If you still have problems, have a look at the manager's ossec.log file in order to find error logs o warnings. You can also enable the debug mode of the daemon in charge of active response to see more logs in the ossec.log. To do that, add the following line to the manager's /var/ossec/etc/local_internal_options.conf and restart the service:

execd.debug=2