Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client Agent Alert for IOCs Marked as "Malware" in Wazuh & Snort Integration** #29

Open
yannicksiewe opened this issue Feb 11, 2025 · 0 comments
Open

Client Agent Alert for IOCs Marked as "Malware" in Wazuh & Snort Integration** #29

yannicksiewe opened this issue Feb 11, 2025 · 0 comments
Assignees
@ArmandMeppa
Labels
enhancement New feature or request

Comments

@yannicksiewe
Copy link
Contributor

Description

Currently, when an Indicator of Compromise (IOC) is detected and classified as "Malware" in Wazuh (via YARA, Snort, Wazuh), no immediate alert is displayed on the client agent itself. This means end users might remain unaware of critical security threats affecting their system until they check logs or reports manually.

To enhance security awareness and speed up response times, this feature will add a real-time alert mechanism that triggers a pop-up notification on the client agent whenever an IOC classified as "Malware" is detected.

Expected Behavior

  • When Wazuh, Snort, or YARA rules detect an IOC categorized as "Malware", the client agent should trigger a notification or pop-up alert.
  • The notification should include:
    • Threat name (from Snort, YARA, or Wazuh rules)
    • Timestamp of detection
    • Severity level (Critical, High, Medium, Low)
    • Recommended action (e.g., isolate, terminate process, investigate further)
  • The alert should remain visible until dismissed or acknowledged by the user.

Possible Implementation Approaches

Client-Side Notification System
  • For Windows: Use native toast notifications via PowerShell or a system tray app.
  • For macOS: Use AppleScript or Swift to generate pop-ups.
  • For Linux: Use libnotify (notify-send for GNOME-based environments).
Wazuh & Snort Integration
  • Configure Wazuh Active Response
    • Modify Wazuh’s active response script to trigger a local alert when an IOC is detected.
    • Example: Extend active-response/bin/custom-response.sh to trigger a pop-up.
  • Use Wazuh API for Real-Time Alerts
    • Monitor wazuh-alerts.log for malware events and send local notifications.
  • Snort Integration
    • If an IOC is detected via Snort, use a script to forward events to the client agent for display.
User Configuration Options
  • Allow administrators to enable/disable pop-up alerts for different threat levels.
  • Provide an option to log these alerts for forensic analysis.

Additional Considerations

  • Performance Impact: Ensure alerts do not introduce latency or system slowdowns.
  • Security: Prevent unauthorized modification of alerts by verifying their source.
  • Cross-Platform Support: Implement using platform-agnostic methods or provide OS-specific implementations.
@ArmandMeppa ArmandMeppa self-assigned this Feb 12, 2025
@ArmandMeppa ArmandMeppa added the enhancement New feature or request label Feb 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ArmandMeppa ArmandMeppa

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yannicksiewe @ArmandMeppa