Empowering threat visibility with Wazuh and Maltiverse

| by Abdullah Al Noman | Wazuh 4.7.0
Post icon

Maltiverse is a threat intelligence platform that collects, analyses, and provides insights into malicious domains, IP addresses, and other digital artifacts commonly associated with cyber threats. It provides a wealth of information on known malicious entities and indicators of compromise (IOCs), making it a valuable resource for cybersecurity professionals.

Extensive threat intelligence of Maltiverse complements the detection capabilities in Wazuh. This integration aids in the identification of malicious entities and indicators of compromise (IOCs), providing security teams with additional data for threat assessment and mitigation. The combination aims to improve threat visibility and security measures in response to evolving digital risks. 

This blog post discusses methods for empowering threat visibility through Wazuh integration with Maltiverse and demonstrates its benefits through practical tests.

Infrastructure

  • A single-node Wazuh central components version 4.7.0 setup on a CentOS 7 server. Follow the Installation guide to perform the setup. 
  • An Ubuntu endpoint with Wazuh agent 4.7.0 installed and enrolled on the Wazuh server. Follow this guide to deploy the Wazuh agent.

Configuration

The Wazuh 4.7.0 and newer releases have out-of-the-box functionality that enables communication with Maltiverse using API calls. The Wazuh server makes API requests to Maltiverse using information such as IP addresses, hostnames, and file hashes, and the responses are processed and forwarded to the Wazuh dashboard for visualization.

First, we find the API key from the Maltiverse web portal and then configure the Maltiverse integration on the Wazuh server.

Maltiverse portal

Maltiverse offers three types of plans. To retrieve the API key, we require at least a Maltiverse community plan. For this integration, we created a 30 days enterprise Maltiverse trial account. After a successful login to the Maltiverse web portal, perform the steps below to get an API key.

1. Click on the username at the top right corner of the portal to access the user information page.

2. Click on the View API Key to reveal the API key. Make sure to take note of the key as we use it in the next section.

Maltiverse API
Figure 1: Maltiverse API key retrieval

Wazuh server

In this section, we use the Maltiverse API key retrieved above to integrate Maltiverse capabilities into the Wazuh server. 

Perform the actions below on the Wazuh server to integrate Maltiverse with Wazuh.

1. Append the following content to the /var/ossec/etc/ossec.conf configuration file.

<ossec_config>
  <integration>
    <name>maltiverse</name>
    <hook_url>https://api.maltiverse.com</hook_url>
    <api_key><API-KEY></api_key>
    <alert_format>json</alert_format>
  </integration>
</ossec_config>

Note: Replace <API-KEY> with the Maltiverse API key extracted from the online portal.

2. Restart the Wazuh manager for the changes to take effect:

# systemctl restart wazuh-manager

After successfully configuring the integration and ingesting some security events to the Wazuh server, you should observe Maltiverse responses on the Wazuh dashboard.

Maltiverse API responses
Figure 2: Maltiverse API responses

Integration test

In this section, we show how to leverage Maltiverse integration with Wazuh for better threat visibility. We perform various activities that enable us to obtain detailed information about IP addresses, hostnames, URLs, and file hashes.

Note: We perform the following testings on a locally hosted Wazuh environment where we simulate real world scenarios by manually ingesting data collected from publicly available servers to the Wazuh server.

Configure the Ubuntu endpoint to manually ingest log data from a log file to the Wazuh server using the following steps.

1. Create a custom log file:

# touch /var/log/maltiverse-test.log

2. Add the following content to <ossec_config> block of the /var/ossec/etc/ossec.conf configuration file of your monitored Ubuntu endpoint:

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/maltiverse-test.log</location>
</localfile>

3. Restart your Wazuh agent for the changes to take effect:

# systemctl restart wazuh-agent

We perform the following tests to ensure that the Maltiverse integration with Wazuh enhances your threat visibility:

IPv4 test

IP addresses obtained from various security events, including SSH logins, brute force attacks, network packets, and web server logs, often require further investigation. Perform the respective steps on the Wazuh server and the Ubuntu endpoint to extract detailed information about an IP address.

Wazuh server

We configure the Wazuh server to provide Maltiverse with the IP address obtained from the Wazuh alert generated when a user inputs the wrong password multiple times. Rule ID 2502 is responsible for generating such alerts.

Perform the steps below to configure the Wazuh server.

1. Add the <rule_id>2502</rule_id> content to the existing Maltiverse integration block of the /var/ossec/etc/ossec.conf configuration file:

<ossec_config>
  <integration>
    <name>maltiverse</name>
    <hook_url>https://api.maltiverse.com</hook_url>
    <api_key>API-KEY</api_key>
    <rule_id>2502</rule_id>
    <alert_format>json</alert_format>
  </integration>
</ossec_config>

2. Restart the Wazuh manager for the changes to take effect:

# systemctl restart wazuh-manager

Attack emulation

If your Wazuh server or Wazuh agent is hosted in a cloud environment with port 22 open, you are likely to encounter a constant stream of IP addresses attempting to breach your system. No additional actions are needed to trigger alerts with rule ID 2502 in such cases.

However, if you are hosting your system locally, you can manually ingest log data by running the following command on your Ubuntu endpoint to generate the required Wazuh alert:

# echo "Oct 17 09:28:28 Ubuntu-2204 sshd[4275]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.25  user=root" >> /var/log/maltiverse-test.log

Result

Navigate to the Security events section on your Wazuh dashboard, and find the alert below, generated using data retrieved from Maltiverse for the IP address:

218.92.0.25
IPv4 test
Figure 3: IPv4 test
IPv4 test details
Figure 4: IPv4 test details

Hostname test

SSH communications, which involve hostnames, DNS queries, and other forms of communication, can feature various hostnames. To obtain comprehensive information about a hostname, follow the steps below.

Wazuh server

We configure the Wazuh server to provide Maltiverse with hostnames obtained from Wazuh alerts generated in response to DNS queries. 

Follow the steps below to set up the Wazuh server for testing hostname-related DNS queries.

1. Create a new decoder, custom_maltiverse_decoders.xml file that decodes DNS query logs:

# touch /var/ossec/etc/decoders/custom_maltiverse_decoders.xml

2. Add the following custom decoder contents to the /var/ossec/etc/decoders/custom_maltiverse_decoders.xml file:

<decoder name="maltiverse_hostname">
  <prematch>timestamp=</prematch>
</decoder>

<decoder name="maltiverse_hostname1">
  <parent>maltiverse_hostname</parent>
  <regex type="pcre2">timestamp=(.+?) identifier=(\w+) action=(\w+) .*? hostname: (\S+)</regex>
  <order>log_timestamp, identifier, action, hostname</order>
</decoder>

3. Create a new rule custom_maltiverse_rules.xml file that generates alerts once we ingest DNS query logs.

# touch /var/ossec/etc/rules/custom_maltiverse_rules.xml

4. Add the custom rule to the /var/ossec/etc/rules/cutom_maltiverse_rules.xml file:

<group name="dns_query,maltiverse_hostname_test,">
  <rule id="111041" level="5">
    <decoded_as>maltiverse_hostname</decoded_as>
    <description> The server $(identifier) making a DNS query.</description>
  </rule>
</group>

Where:

  • Rule ID 111041 triggers an alert whenever the maltiverse_hostname decoder processes any log.

5. Add the rule ID 111041 to the <rule_id> tag within the Maltiverse integration block of the /var/ossec/etc/ossec.conf configuration file:

<ossec_config>
  <integration>
    <name>maltiverse</name>
    <hook_url>https://api.maltiverse.com</hook_url>
    <api_key>API-KEY</api_key>
    <rule_id>2502,111041</rule_id>
    <alert_format>json</alert_format>
  </integration>
</ossec_config>

6. Restart the Wazuh manager for the changes to take effect:

# systemctl restart wazuh-manager

Attack emulation

Run the following command on your Ubuntu endpoint to manually ingest log data that generates the required Wazuh alert:

# echo "timestamp=Oct 18 15:25:12 identifier=abdullahgtrlab action=dns_query details=Querying DNS for hostname: dobreusluge.zauvijek.itsforever.net" >> /var/log/maltiverse-test.log

Result

Navigate to the Security events on your Wazuh dashboard to see the alert generated using the data retrieved from Maltiverse for the hostname:

dobreusluge.zauvijek.itsforever.net
Hostname test
Figure 5: Hostname test
Hostname test details
Figure 6: Hostname test details

URL test

Proxy server logs and firewall logs often include URLs in their log data. To obtain detailed information about a URL, follow these steps on your Ubuntu endpoint and Wazuh server, respectively.

Wazuh server

We configure the Wazuh server to provide Maltiverse with URLs obtained from the Wazuh alert generated by the Squid proxy server logs. Follow the steps below to set up the Wazuh server for the URL test.

1. Append the following custom decoder contents to the /var/ossec/etc/decoders/custom_maltiverse_decoders.xml file that we created earlier:

<decoder name="squid_url">
  <program_name>squid</program_name>
</decoder>

<decoder name="squid_url1">
  <parent>squid_url</parent>
  <regex type="pcre2">(\d+.\d+.\d+.\d+) TCP_MISS\/200 .*? GET (.*?) - DIRECT</regex>
  <order>client_ip, url</order>
</decoder>

2. Add the custom rule to the /var/ossec/etc/rules/cutom_maltiverse_rules.xml file that we created earlier:

<group name="squid_url,maltiverse_urltest">
  <rule id="111042" level="6">
    <decoded_as>squid_url</decoded_as>
    <description> [SQUID URL] - $(client_ip) has accessed $(url)</description>
  </rule>
</group>

Where:

  • Rule ID 111042 triggers an alert whenever the squid_url decoder processes any log.

3. Add the rule ID 111042 to the <rule_id> tag within the Maltiverse integration block of the /var/ossec/etc/ossec.conf configuration file:

<ossec_config>
  <integration>
    <name>maltiverse</name>
    <hook_url>https://api.maltiverse.com</hook_url>
    <api_key>API-KEY</api_key>
    <rule_id>2502,111041,111042</rule_id>
    <alert_format>json</alert_format>
  </integration>
</ossec_config>

4. Restart the Wazuh manager for the changes to take effect:

# systemctl restart wazuh-manager

Attack emulation

Run the following command on your Ubuntu endpoint to manually ingest log data that generates the required Wazuh alert:

# echo "Oct 17 14:55:30 proxy_server squid[1234]: 157730320.512 192.168.1.200 TCP_MISS/200 5124 GET https://vk.com/doc52355237_667082058?hash=SCtt4ltNCbu3lnYUwPGvIGmMakZCTQ0Yuj5qiGj1Uc0&dl=hil1F6PzYlnVsXsKpXdnyCyI9zVoEp3fH0XkDiKEhgk&api=1&no_preview=1 - DIRECT/vk.com text/html" >> /var/log/maltiverse-test.log

Result

Navigate to the Security events on your Wazuh dashboard to see the alert generated using the data retrieved from Maltiverse for the URL:

https://vk.com/doc52355237_667082058?hash=SCtt4ltNCbu3lnYUwPGvIGmMakZCTQ0Yuj5qiGj1Uc0&dl=hil1F6PzYlnVsXsKpXdnyCyI9zVoEp3fH0XkDiKEhgk&api=1&no_preview=1
Maltiverse URL test
Figure 7: URL test
Maltiverse URL test details
Figure 8: URL test details

File hash test

Files on different systems may potentially contain malicious binaries, making it crucial to conduct a thorough examination based on their hash values. In this section, we download a malicious file to a monitored directory on the Ubuntu endpoint and then retrieve detailed information for the hash value of the malicious file.

Follow the steps below on your Ubuntu endpoint and Wazuh server to perform the file hash test.

Ubuntu

We configure the Wazuh agent to monitor the /tmp directory on your Ubuntu endpoint. Then, we download a malicious file into that directory to generate Wazuh alerts containing file hash values.

Perform the following steps on your Ubuntu endpoint.

1. Add the following line to the <syscheck> block of the /var/ossec/etc/ossec.conf configuration file:

<directories realtime="yes">/tmp</directories>

2. Restart the Wazuh agent for the changes to take effect:

# systemctl restart wazuh-agent

Wazuh server

We configure the Wazuh server to generate alerts containing file hashes from the /tmp directory and then retrieve detailed information about these file hashes using the Maltiverse API.

Perform the following steps to configure your Wazuh server.

1. Add the following custom rules to the /var/ossec/etc/rules/custom_maltiverse_rules.xml file that we created earlier:

<group name="maltiverse_sample_test">
  <!-- Rules for Linux systems -->
  <rule id="111050" level="7">
    <if_sid>550</if_sid>
    <field name="file">/tmp</field>
    <description>File modified in /tmp directory.</description>
    </rule>
  <rule id="111051" level="7">
    <if_sid>554</if_sid>
    <field name="file">/tmp</field>
    <description>File added to /tmp directory.</description>
  </rule>
</group>

Where:

  • Rule ID 111050 triggers an alert when a file within the /tmp directory is modified.
  • Rule ID 111051 triggers an alert when a file is added to the /tmp directory

2. Add the following rule IDs to the <rule_id> tag within the Maltivers integration block of the /var/ossec/etc/ossec.conf configuration file:

<ossec_config>
  <integration>
    <name>maltiverse</name>
    <hook_url>https://api.maltiverse.com</hook_url>
    <api_key>API-KEY</api_key>
    <rule_id>2502,111042,111050,111051</rule_id>
    <alert_format>json</alert_format>
  </integration>
</ossec_config>

3. Restart the Wazuh manager for the changes to take effect:

# systemctl restart wazuh-manager

Attack emulation

We download a malicious file into the /tmp directory of the Ubuntu endpoint to generate an alert with the file hashes.  Perform the following steps on your Ubuntu endpoint.

1. Change the current working directory to the /tmp directory:

$ sudo cd /tmp

2. Run the following command to download the malicious file:

$ sudo curl -LO https://secure.eicar.org/eicar.com && ls -lah eicar.com

Result

Navigate to the Security events on your Wazuh dashboard to see the alert generated using the data retrieved from Maltiverse for the malicious file hash values.

File hash test
Figure 9: File hash test
File hash test details
Figure 10: File hash test details

Conclusion

The integration of Wazuh and Maltiverse signifies a major leap forward in fortifying threat visibility and bolstering cybersecurity defenses. This blog post outlines the practical steps involved in implementing this integration to enhance the detection and response to security threats greatly. Furthermore, this collaboration opens new doors to proactive threat management, establishing itself as an essential asset in today’s ever-evolving threat landscape.

Wazuh, acclaimed for its open-source security prowess, integrates with diverse emerging technologies, providing users flexibility in threat detection, compliance, and incident handling. For a deeper understanding of Wazuh capabilities, we invite you to explore our extensive documentation and enlightening blog posts.

Reference