CDB lists and threat intelligence

Wazuh detects malicious files by checking the presence of their signatures in a CDB list. This CDB list must contain known malware threat intelligence indicators. A CDB list is a text file you can use to save a list of users, file hashes, IP addresses, and domain names. You can add entries to a CDB list in key:value pairs or key: only. CDB lists can act as either allow or deny lists. You can learn more about CDB lists in the documentation.

How it works

Wazuh checks if field values, such as IP address, file hashes, and others, extracted from security events during decoding are in a CDB list to hunt and detect malware. To detect malware, you can use CDB lists with the file integrity monitoring (FIM) module. We describe how it works below:

  1. The Wazuh FIM module scans monitored directories on endpoints to detect changes such as file creation and modifications. The FIM module stores the checksums and attributes of the monitored files.

  2. When the FIM module generates an alert, the Wazuh analysis engine compares the file attributes, for example, the file hash, to the keys in a predefined CDB list.

  3. If the Wazuh analysis engine finds a match, it generates or suppresses an alert based on how you configure your rule.

Use case: Detecting malware using file hashes in a CDB list

In this use case, we show how you can detect malware using file hashes that you have added to a CDB list. You can use this use case to detect malicious files on a Linux endpoint on which you have installed a Wazuh agent.

Wazuh server

  1. Create a CDB list malware-hashes of known malware hashes and save it to the /var/ossec/etc/lists directory on the Wazuh server.

    # vi /var/ossec/etc/lists/malware-hashes
    
  2. Add the known malware hashes to the file as key:value pairs. In this case, you can use the known MD5 hashes of the Mirai and Xbash malware as shown below.

    e0ec2cd43f71c80d42cd7b0f17802c73:mirai
    55142f1d393c5ba7405239f232a6c059:Xbash
    
  3. Add a reference to the CDB list in the Wazuh manager configuration file /var/ossec/etc/ossec.conf. You can do this by specifying the path to the list within the <ruleset> block:

    ...
      <ruleset>
        <!-- Default ruleset -->
        <decoder_dir>ruleset/decoders</decoder_dir>
        <rule_dir>ruleset/rules</rule_dir>
        <rule_exclude>0215-policy_rules.xml</rule_exclude>
        <list>etc/lists/audit-keys</list>
        <list>etc/lists/amazon/aws-eventnames</list>
        <list>etc/lists/security-eventchannel</list>
        <list>etc/lists/malware-hashes</list>
      <ruleset>
    ...
    
  4. Create a custom rule in the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server. The rule generates alerts when the Wazuh analysis engine matches the MD5 hash of a new or modified file to a hash in the CDB list. Rules 554 and 550 must previously match indicating a recently created or modified file.

    <group name="malware,">
      <rule id="110002" level="13">
        <!-- The if_sid tag references the built-in FIM rules -->
        <if_sid>554, 550</if_sid>
        <list field="md5" lookup="match_key">etc/lists/malware-hashes</list>
        <description>File with known malware hash detected: $(file)</description>
        <mitre>
          <id>T1204.002</id>
        </mitre>
      </rule>
    </group>
    
  5. Restart the Wazuh manager to apply changes.

    # systemctl restart wazuh-manager
    

Linux endpoint

  1. Configure directory monitoring by adding the <directories> block specifying the folders you want to monitor in the agent configuration file or using the centralized configuration option.

    <ossec_config>
      <syscheck>
        <disabled>no</disabled>
        <directories check_all="yes" realtime="yes">/PATH/TO/MONITORED/DIRECTORY</directories>
      </syscheck>
    </ossec_config>
    

    Note

    The check_all option ensures Wazuh checks all file attributes including the file size, permissions, owner, last modification date, inode, and the hash sums.

  2. Restart the Wazuh agent to apply the changes:

    # systemctl restart wazuh-agent
    

Test the configuration

To test that everything works correctly, download the Mirai and Xbash malware samples to the directory the FIM module is monitoring.

Warning

These malicious files are dangerous, so use them for testing purposes only. Do not install them in production environments.

  1. Download the malware samples. Replace /PATH/TO/MONITORED/DIRECTORY with the path of the monitored directory.

    $ sudo curl https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai --output /PATH/TO/MONITORED/DIRECTORY/mirai
    $ sudo curl https://wazuh-demo.s3-us-west-1.amazonaws.com/xbash --output /PATH/TO/MONITORED/DIRECTORY/Xbash
    

Visualize the alerts

You can see these alerts on the Wazuh dashboard. To do this, go to the Security events tab of the Wazuh dashboard to view the alerts.