Wazuh Yara is a project aimed at integrating YARA rules with Wazuh for enhanced malware detection and file integrity monitoring.
- File Integrity Monitoring (FIM): Monitors directories and files for changes and triggers YARA scans.
- Malware Detection: Uses YARA rules to detect and classify malware artifacts on endpoints.
- Active Response: Automatically deletes detected threats based on YARA rule matches.
- Ubuntu
- macOS
- Configures the YARA rules in the wazuh agent
rulesdirectory. - Set up the Wazuh FIM module to monitor desired directories.
- Deploy the
yara.shscript for active response.
- Wazuh Agent installed on endpoints
Install using this command:
curl -SL --progress-bar https://raw.githubusercontent.com/ADORSYS-GIS/wazuh-yara/main/scripts/install.sh | shTo ensure the correct installation and configuration of YARA and Wazuh, we have implemented a set of automated tests. These tests verify the presence and proper configuration of essential components such as users, groups, configuration files, and installed packages.
For a detailed description of these tests and how to execute them, please refer to the YARA Tests README.
The repository includes a GitHub Actions workflow that automatically runs the tests on every push or pull request. This helps maintain the integrity of the system by validating the setup continuously.
For more information on the test workflow, see the GitHub Actions Workflow.