wazuh 恶意文件监控使用
恶意文件监控
异常检测是指在系统中查找与预期行为不匹配的模式的操作。一旦恶意软件(例如,rootkit)安装在系统上,它就会修改系统以对用户隐藏自己。尽管恶意软件使用多种技术来实现这一目标,但 Wazuh 使用广泛的方法来查找指示可能入侵者的异常模式。
使用virustotal检测服务,就需要去virustotal官网:https://www.virustotal.com/gui/join-us,进行注册。注册完成并且登录账号之后,点击右上方头像的api key一栏。公共 API
此方法使用具有许多 VirusTotal 功能的免费 API。但是,它有一些重要的限制,例如:
- 请求比率限制为每分钟不超过四个请求
- 此 API 为 VirusTotal 引擎完成的请求的低优先级访问
VirusTotal 文档表明,运行 honeyclient、honeypot 或任何其他为 VirusTotal 提供资源的自动化的用户在执行 API 调用时将获得更高的请求率配额和特殊权限。
在服务端/var/ossec/etc/ossec.conf文件添加如下配置
<integration>
<name>virustotal</name>
<api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
<group>syscheck</group>
<alert_format>json</alert_format>
</integration>
如
保存后重启管理端
systemctl restart wazuh-manager
在安装代理的主机且受监控的目录防止病毒测试
{
"agent": {
"ip": "192.168.192.26",
"name": "pabupgradetest01",
"id": "001"
},
"manager": {
"name": "sz-standalone-test-1"
},
"data": {
"integration": "virustotal",
"virustotal": {
"sha1": "082b9d15a48a235a04f2500701c88c1212f50a4b",
"malicious": "1",
"total": "71",
"found": "1",
"positives": "51",
"source": {
"sha1": "082b9d15a48a235a04f2500701c88c1212f50a4b",
"file": "/etc/beacon64.exe",
"alert_id": "1661266887.1507457",
"md5": "55a24cce34eb1156ed9487f1f5293bae"
},
"permalink": "https://www.virustotal.com/gui/file/35802e3d1202407613468554cc8d0589ce3fe049b6c885c2ea92380296925c06/detection/f-35802e3d1202407613468554cc8d0589ce3fe049b6c885c2ea92380296925c06-1661195364",
"scan_date": "2022-08-22 19:09:24"
}
},
"rule": {
"firedtimes": 2,
"mail": true,
"level": 12,
"pci_dss": [
"10.6.1",
"11.4"
],
"description": "VirusTotal: Alert - /etc/beacon64.exe - 51 engines detected this file",
"groups": [
"virustotal"
],
"mitre": {
"technique": [
"Exploitation for Client Execution"
],
"id": [
"T1203"
],
"tactic": [
"Execution"
]
},
"id": "87105",
"gdpr": [
"IV_35.7.d"
]
},
"decoder": {
"name": "json"
},
"input": {
"type": "log"
},
"@timestamp": "2022-08-23T15:01:31.535Z",
"location": "virustotal",
"id": "1661266891.1509593",
"timestamp": "2022-08-23T23:01:31.535+0800",
"_id": "wHA5y4IBjsjmrQAmKp8b"
}
