Auto Remove Malware With Wazuh Active Response! - Let's Build a Host Intrusion Detection System

Hey there, yes looking to bring more active response with windows soon. However, in the below video, I used active response with wazuh to call a powershell script and could help as an example: ruclips.net/video/dFHfH_f47Ms/видео.html

Hey there, did you make sure the real time monitoring was enabled on the directory you are downloading the file to? Below is an example of the "opt" directory:
/opt

Hey Watchkeeper, I do not have slack but you can join the discord server and get assistance there: discord.gg/MzkFP9yE9V

Hey Peinrpple, have you made sure to add the active response block within the ossec.conf file?
Let me know and thanks for watching!

@@taylorwalton_socfortress Yep, have added the active response block at ossec.conf already. Active response for blocking attackers like in video #7 works, but not for this.

@@shijieteosj Do you see any entries on the wazuh agent within the /var/ossec/logs/active-responses.log....if not, are permissions and ownership for the bash scripts set correctly on the wazuh manager and wazuh agent?

@@taylorwalton_socfortress The active responses log on the agent is unfortunately empty. As for the bash scripts, they have been set to +x permissions, with owners being root:ossec

Hey Saket, Do you see active response attempt to run? Have a look at the /var/ossec/logs/activeresponse.log file on the manager and the agent and let me know what entries are within those files. For faster help, join us on our Discord server and hopefully us and the community can help you out!
discord.gg/MzkFP9yE9V
Thanks for watching

Hey Waleed, are you seeing the positive virustotal alert?

@@taylorwalton_socfortress yes I can see the file added and then the positive alert from virustotal but the rest is not working

Hey Zubair, what does your active response settings look like? You may need to include the Active Response tag.

@@taylorwalton_socfortress I already did that which wazuh version you are using?

@@thezubairrahim 4.1.5. If you run the the remove.sh by itself what is the output you get?

@@taylorwalton_socfortress Hi, same problem here, it says: ossec-integratord: ERROR: Couldn't execute command (/var/ossec/integrations/custom-remove-threat /tmp/custom-remove-threat-1626733235--779629725.alert > /dev/null 2>&1). Check file and permissions. But permissions are set to root:ossec

@@SimoneScanavini Hey Simone, is the remove-threat script also an executable? This is done with the "chmod +x /var/ossec/integrations/custom-remove-threat" command

Hey Neo, while this is a great addition there are a few catches. First we are depending on VirusTotal's API service to be running and accessible from our Wazuh Manager. A break in internet connectivity would cause a timeout error or a break within our wazuh-manager would allow the malicious software, script, etc to run. Second VirusTotal has the ability to limit the number of API request you make per day. You can pay for the ability to submit more requests as you need but if you exceed your per day limit, they will deny future requests. Third, although the API calls are fast, depending on the actions of the malicious file, exe, bin, etc., it could still have time to execute before the Wazuh-Manager has made the request to Virustotal, gotten back the response, determined the file is malicious, and sends the active response command to the agent. By no means does this replace a dedicated antivirus solution but is a great other defense tactic we can implement. I plan an exploring dedicated opensource antivirus solutions in future videos so please stay tuned. Thanks for watching :)

Hey Karl, what rule ID do you have setup for active response? Are you seeing any output from the /var/ossec/logs/activeresponse.log?

@@taylorwalton_socfortress This is my config:
custom-remove-threat
87105
json

remove-threat
remove-threat.sh
filename
no
no
remove-threat
local
I also tried to add the in the active response tag but it did not make any difference. I followed all your steps and made all the configuration needed on the agent too. I'm having trouble trying to figure out where is the problem. Is there something I need to do to activate the active response?
As for the outputs from the /var/ossec/logs/active-responses.log, I'm only getting the restart.sh

Hey Karl, apologies for the late reply.
One thing to verify is working correctly is the VirusTotal integration. This needs to be working because rule id 87105 will only trigger once VirusTotal responds back to our API request that the file we uploaded has a positive match. Without that rule id being triggered, our custom-remove-threat process will not be triggered.
Once you can ensure the Virustotal calls are working as expected, we can troubleshoot further. Looking forward to your response.

@@taylorwalton_socfortress The rule id 87105 triggers when I download a malicious file but sometimes the rule id 87104 is the one that triggers. I don't know if that is normal.

@@karlmaamary8181 Hey Karl, I expect that to be normal. What OS is your wazuh-agent? Do you see any errors if you run the /var/ossec/active-response/bin/remove-threat.sh on the agent side?