Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing installation step in Yara and testing step improvement #6960

Closed
javimed opened this issue Jan 16, 2024 · 1 comment · Fixed by #6970
Closed

Missing installation step in Yara and testing step improvement #6960

javimed opened this issue Jan 16, 2024 · 1 comment · Fixed by #6970
Assignees
@TheMuntu
Labels
level/task Task issue type/bug Bug issue

Comments

@javimed
Copy link
Member

javimed commented Jan 16, 2024

  • Missing step for Yara installation in Detecting malware on Linux endpoints using YARA use case in Malware capabilities documentation

    Following the steps might lead to a wrong installation

    vagrant@ag-ubuntu20:/usr/local/bin/yara-4.2.3$ yara
yara: error while loading shared libraries: libyara.so.9: cannot open shared object file: No such file or directory

    A step should be added in the same it's already present in Detecting malware using Yara integration PoC

    imagen

    vagrant@ag-ubuntu20:/usr/local/bin/yara-4.2.3$ sudo su
root@ag-ubuntu20:/usr/local/bin/yara-4.2.3# echo "/usr/local/lib" >> /etc/ld.so.conf
root@ag-ubuntu20:/usr/local/bin/yara-4.2.3# ldconfig
root@ag-ubuntu20:/usr/local/bin/yara-4.2.3# exit
exit
vagrant@ag-ubuntu20:/usr/local/bin/yara-4.2.3$ yara
yara: wrong number of arguments
Usage: yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID

Try `--help` for more options
vagrant@ag-ubuntu20:/usr/local/bin/yara-4.2.3$

  • Downloading samples directly to the monitored directory triggers alerts repetitions

    vagrant@ag-ubuntu20:/usr/local/bin/yara-4.2.3$ sudo curl https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai --output /root/mirai
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 79804  100 79804    0     0  26557      0  0:00:03  0:00:03 --:--:-- 26557
vagrant@ag-ubuntu20:/usr/local/bin/yara-4.2.3$ sudo curl https://wazuh-demo.s3-us-west-1.amazonaws.com/xbash --output /root/Xbash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 9344k  100 9344k    0     0   507k      0  0:00:18  0:00:18 --:--:-- 1352k
vagrant@ag-ubuntu20:/usr/local/bin/yara-4.2.3$

    imagen

    vagrant@ag-ubuntu20:/usr/local/bin/yara-4.2.3$ curl https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai --output ~/mirai
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 79804  100 79804    0     0  43561      0  0:00:01  0:00:01 --:--:-- 43537
vagrant@ag-ubuntu20:/usr/local/bin/yara-4.2.3$ curl https://wazuh-demo.s3-us-west-1.amazonaws.com/xbash --output ~/Xbash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 9344k  100 9344k    0     0  1095k      0  0:00:08  0:00:08 --:--:-- 1486k
vagrant@ag-ubuntu20:/usr/local/bin/yara-4.2.3$ sudo mv ~/mirai /root/
vagrant@ag-ubuntu20:/usr/local/bin/yara-4.2.3$ sudo mv ~/Xbash /root/
vagrant@ag-ubuntu20:/usr/local/bin/yara-4.2.3$

    imagen
@javimed javimed mentioned this issue Jan 16, 2024
Closed
2 tasks
@javimed javimed changed the title Missing installation step in Yara and test step improvement Missing installation step in Yara and testing step improvement Jan 16, 2024
@wazuhci wazuhci moved this to Triage in Release 4.8.0 Jan 16, 2024
@javimed javimed added level/task Task issue type/bug Bug issue labels Jan 17, 2024
@TheMuntu TheMuntu self-assigned this Jan 18, 2024
@TheMuntu
Copy link

Fixed!

@wazuhci wazuhci moved this from Triage to In progress in Release 4.8.0 Jan 18, 2024
@javimed javimed linked a pull request Jan 18, 2024 that will close this issue
Add fixes to FIM-Yara malware detection capability section #6970
Merged
7 tasks
@wazuhci wazuhci moved this from In progress to Blocked in Release 4.8.0 Jan 18, 2024
@javimed javimed closed this as completed Jan 19, 2024
@wazuhci wazuhci moved this from Blocked to Done in Release 4.8.0 Jan 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TheMuntu TheMuntu

Labels
level/task Task issue type/bug Bug issue
Projects
No open projects
Release 4.8.0
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add fixes to FIM-Yara malware detection capability section wazuh/wazuh-documentation
2 participants
@javimed @TheMuntu