Hi Taylor! I work in the health care system in Canada and thanks to you I'm building an pretty solid Wazuh PoC to show higher management in order to steer them away from Microsoft Defender as a potential EDR on the Linux servers my devops team and I manage. You have no idea how valuable your videos are. Thank you so much my dude!
Thank you for your videos Taylor! I noticed since your quarantined folder resides within /tmp, /tmp is flushed every 10 days by default. So your scanning script may want to check if /tmp/quarantine exists before moving the file, and if it doesn't exist it could create it. Just another conditional if/then. But once again, thank you! I just subscribed.
This is fantastic. I didn't realize Wazuh had this capability. Taking this to the next logical step, you can replace the simple yara scanning with more in-depth scanning such as with with VirusTotal hash checking, multi-AV scanning frameworks like IRMA or possibly going further with AssemblyLine4 which could send files directly to CAPE sandbox which can do behavioral analysis along with a dozen other scanning tools. This is assuming that your setup is OK with waiting 6-10 minutes for analysis for scanning an executable file. Can Wazuh do any type of pre-filtering prior to sending files for scanning? For example, say you wanted to scan every file a user downloads and filter it based on filetype, file extension, or filesize. PS. I don't think I've ever heard anyone refer to Florian Roth's (one of the creators of SIGMA) repo as Neo23x0 and it made me smile.
Where are you running u r cloud? can u explain me or make a video of cuckoo sandbox on 'aws' (any cloud u prefer) for running dynamic malware testing. i dont know how to do a complete setup nor can we run malware test on aws cloud. could be please clear me this
Hi Taylor~ If the agent is Windows, how does YARA determine the Windows user profile name variable? I can only set a fixed username to make it work. If I use %userprofile% I cannot capture the path.
Hello Taylor, I follow ur instruction but there's been an error /usr/share/yara/yara-4.2.3/yarac Where is the yarac ? I cant seem to find it in the yara-4.2.3 dir
hi bro i would like to implement the yara rules but i have a problem in the compilation when i execute the yara_update_rules.sh i get this error "error: rule "PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0" in /usr/local/signature-base/yara/yara-rules_vuln_drivers_strict_renamed.yar(6830): undefined identifier "filename"" and many other lines like that
Hi Taylor! I work in the health care system in Canada and thanks to you I'm building an pretty solid Wazuh PoC to show higher management in order to steer them away from Microsoft Defender as a potential EDR on the Linux servers my devops team and I manage. You have no idea how valuable your videos are. Thank you so much my dude!
Thank you for your videos Taylor! I noticed since your quarantined folder resides within /tmp, /tmp is flushed every 10 days by default. So your scanning script may want to check if /tmp/quarantine exists before moving the file, and if it doesn't exist it could create it. Just another conditional if/then. But once again, thank you! I just subscribed.
that signature-base has some .yar files that are getting flagged by anti virus scanners on virus total ?!
This is fantastic. I didn't realize Wazuh had this capability.
Taking this to the next logical step, you can replace the simple yara scanning with more in-depth scanning such as with with VirusTotal hash checking, multi-AV scanning frameworks like IRMA or possibly going further with AssemblyLine4 which could send files directly to CAPE sandbox which can do behavioral analysis along with a dozen other scanning tools. This is assuming that your setup is OK with waiting 6-10 minutes for analysis for scanning an executable file.
Can Wazuh do any type of pre-filtering prior to sending files for scanning? For example, say you wanted to scan every file a user downloads and filter it based on filetype, file extension, or filesize.
PS. I don't think I've ever heard anyone refer to Florian Roth's (one of the creators of SIGMA) repo as Neo23x0 and it made me smile.
Great cyber security project for beginners!
Hi Taylor, have you experienced custom rules for specific URLs? I tried it but there is no alert showing. Can you halp me? thanks
Can you implement a sandbox as well?
Just wanted to ask why u didnt do this with Wazuh elasticsearch and Kibana and the thing is that i really need it !
Where are you running u r cloud? can u explain me or make a video of cuckoo sandbox on 'aws' (any cloud u prefer) for running dynamic malware testing. i dont know how to do a complete setup nor can we run malware test on aws cloud. could be please clear me this
Great Video !
Hi Taylor~
If the agent is Windows, how does YARA determine the Windows user profile name variable? I can only set a fixed username to make it work. If I use %userprofile% I cannot capture the path.
'promosm' 🙄
Hello Taylor, I follow ur instruction but there's been an error
/usr/share/yara/yara-4.2.3/yarac
Where is the yarac ? I cant seem to find it in the yara-4.2.3 dir
hi bro i would like to implement the yara rules but i have a problem in the compilation when i execute the yara_update_rules.sh i get this error
"error: rule "PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0" in /usr/local/signature-base/yara/yara-rules_vuln_drivers_strict_renamed.yar(6830): undefined identifier "filename"" and many other lines like that
i have same error did you fix it bro