i'm geting this error "wazuh-yara: error: Yara path and rules parameters are mandatory." and i'm install multinode wazuh in ubuntu 20.4 and my agent is also same OS
@@taylorwalton_socfortress can we create customised alert dashboard for soc team?? Like taking actions, escalation and remediation mail directly from console.
@@m0ns7er Hey Akash, of course. You can create your own rules via the Web UI under the Wazuh App -> Management -> Rules -> Custom Rules. You could put in the "rule description" what action should be taken by the SOC team. Some good documentation on syntax of rules can be found here: documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html . Possibilities are pretty limitless, just up to your own imagination. Thanks for watching!
Hi, great tutorial. I followed your instruction 1:1, but for some reason active response is not triggered on agent when file is added to the system. In Wazuh Manage that newly uploaded file is shown with ID554. Any idea what could be the cause?
I have an environment with 300 servers and I believe that it will really be necessary to install yara in all of them in order to run it, create the log and send it to wazuh.
How can I make it to work on agent that is running on windows server???? So far, I could not find anything that could point me to the right direction.... Thanks :)
Hey Franthesco, you would probably need to take advantage of powershell. You could create a powershell script and use active response to call that script when a file upload rule is triggered. I will try digging into it and see if I can generate something for a video. Thanks for watching!
Me, too. It doesn't work on me. I do all the things same. My OS is Red Hat Enterprise Linux Server release 7.2 (Maipo) & CentOS Linux release 7.6.1810 (Core). I don't know how to test this yara.sh? It always show wazuh-yara: error: Yara path and rules parameters are mandatory. But I also set same directory with your demo. [root@yara yara-4.1.0]# pwd /opt/yara-4.1.0
Hey Dai, If you input the file path for the YARA_PATH and YARA_RULES variables in the yara.sh script that goes onto the wazuh agent and run it, what is the output? Thanks for watching!
i'm geting this error "wazuh-yara: error: Yara path and rules parameters are mandatory." and i'm install multinode wazuh in ubuntu 20.4 and my agent is also same OS
Great tutorial series. Waiting for ransomeware example with active response feature.
Thanks for watching!
@@taylorwalton_socfortress can we create customised alert dashboard for soc team?? Like taking actions, escalation and remediation mail directly from console.
@@m0ns7er Hey Akash, of course. You can create your own rules via the Web UI under the Wazuh App -> Management -> Rules -> Custom Rules. You could put in the "rule description" what action should be taken by the SOC team. Some good documentation on syntax of rules can be found here: documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html . Possibilities are pretty limitless, just up to your own imagination. Thanks for watching!
Thanks
Hi, Great tutorial, I have a question, I'm lost where did u install the yara rules is it from manager or on the agent?. TIA. at 5:56
Yara rules are installed on the agent...thanks for watching!
Hi, great tutorial. I followed your instruction 1:1, but for some reason active response is not triggered on agent when file is added to the system. In Wazuh Manage that newly uploaded file is shown with ID554. Any idea what could be the cause?
Maybe I missed it but my default config was not monitoring active-response.log therefore not reporting back to wazuh.
Hmm usually that is part of the default install. What OS did you deploy the agent on?
Does Yara need to be installed on the manger side or the agent side? I get this error any ideas? Yara path and rules parameters are mandatory.
I have an environment with 300 servers and I believe that it will really be necessary to install yara in all of them in order to run it, create the log and send it to wazuh.
How can I make it to work on agent that is running on windows server???? So far, I could not find anything that could point me to the right direction.... Thanks :)
Hey Franthesco, you would probably need to take advantage of powershell. You could create a powershell script and use active response to call that script when a file upload rule is triggered. I will try digging into it and see if I can generate something for a video.
Thanks for watching!
This may help get you in the right direction. github.com/ahhh/PSSE/blob/master/Scan-with-Yara.ps1
@@taylorwalton_socfortress need tutorial how to make script for yara integration with wazuh on windows agents :D because no one shares about it
Me, too. It doesn't work on me. I do all the things same. My OS is Red Hat Enterprise Linux Server release 7.2 (Maipo) & CentOS Linux release 7.6.1810 (Core).
I don't know how to test this yara.sh? It always show wazuh-yara: error: Yara path and rules parameters are mandatory. But I also set same directory with your demo.
[root@yara yara-4.1.0]# pwd
/opt/yara-4.1.0
Hey Dai,
If you input the file path for the YARA_PATH and YARA_RULES variables in the yara.sh script that goes onto the wazuh agent and run it, what is the output?
Thanks for watching!
Hi, have you solved it?
i've same issue :(
It doesn't work on me. I do all the things same.
What OS are you running on? Does the script run fine if you just run it by itself?