PID-942 - HackMD

Here is a step-by-step procedure to integrate YARA with Wazuh: 1. Install YARA on the Wazuh server and configure it to scan for malware artifacts based on textual or binary patterns [1][3][4]. 2. Create a YARA rule file that contains the patterns to be matched by YARA. This file can be created manually or downloaded from a trusted source [1][2][4]. 3. Configure Wazuh to use the YARA integration by adding the YARA path and rule file path to the Wazuh configuration file [1][2][4]. 4. Restart the Wazuh manager to apply the configuration changes [2]. 5. Test the YARA integration by uploading a file that matches the patterns in the YARA rule file. Wazuh should detect the file as malware and generate an alert [2][4]. 6. (Optional) Configure Wazuh to use Active Response to automatically quarantine or delete files that match the YARA rule file [2][5][6]. Here is an example of how to configure Wazuh to use the YARA integration: 1. Install YARA on the Wazuh server using the package manager or by compiling from source [1][4]. 2. Create a YARA rule file named `malware.yar` that contains the patterns to be matched by YARA. For example: ``` rule malware { strings: $s1 = "malware" $s2 = "virus" condition: any of them } ``` 3. Add the following lines to the Wazuh configuration file (`/var/ossec/etc/ossec.conf`) to enable the YARA integration: ``` <ossec_config> ... <command> <name>yara</name> <executable>yara.sh</executable> <expect>filename</expect> <extra_args>-yara_path /usr/bin -yara_rules /path/to/malware.yar</extra_args> <timeout_allowed>no</timeout_allowed> </command> <active-response> <command>yara</command> <location>local</location> <rules_id>100300,100301</rules_id> </active-response> ... </ossec_config> ``` This configuration tells Wazuh to use the `yara.sh` script to run YARA with the `malware.yar` rule file. The `rules_id` parameter specifies which rules to apply to the YARA output. In this example, rules `100300` and `100301` are used [2]. 4. Restart the Wazuh manager to apply the configuration changes: ``` $ sudo systemctl restart wazuh-manager ``` 5. Test the YARA integration by uploading a file that matches the patterns in the `malware.yar` rule file. Wazuh should detect the file as malware and generate an alert. 6. (Optional) Configure Wazuh to use Active Response to automatically quarantine or delete files that match the `malware.yar` rule file. For example: ``` <ossec_config> ... <command> <name>yara_linux</name> <executable>yara.sh</executable> <extra_args>-yara_path /usr/bin -yara_rules /path/to/malware.yar</extra_args> <timeout_allowed>no</timeout_allowed> </command> <active-response> <command>yara_linux</command> <location>local</location> <rules_id>100300,100301</rules_id> </active-response> ... </ossec_config> ``` This configuration tells Wazuh to use the `yara.sh` script to run YARA with the `malware.yar` rule file. The `rules_id` parameter specifies which rules to apply to the YARA output. In this example, rules `100300` and `100301` are used. The `yara_linux` command can be used with Active Response to automatically quarantine or delete files that match the `malware.yar` rule file [2][5][6].