fix!: several fixes were applied. #3085

wazuh · Jul 19, 2022 · 966a262 · 966a262
1 parent 2f7e3a4
commit 966a262
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 62 deletions.
diff --git a/tests/end_to_end/test_yara_integration/data/configuration/yara_script.sh b/tests/end_to_end/test_yara_integration/data/configuration/yara_script.sh
diff --git a/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml
@@ -55,7 +55,7 @@
           <command>
           <name>yara</name>
           <executable>yara.sh</executable>
-          <extra_args>-yara_path /usr/local/bin -yara_rules /tmp/yara/rules/yara_rules.yar</extra_args>
+          <extra_args>-yara_path /usr/bin -yara_rules /tmp/yara/rules/yara_rules.yar</extra_args>
           <timeout_allowed>no</timeout_allowed>
           </command>
           <active-response>
@@ -94,19 +94,27 @@
         body: demo=demo&apikey=1111111111111111111111111111111111111111111111111111111111111111&format=text
         dest: /tmp/yara/rules/yara_rules.yar
 
+    - name: Check if epel-release is installed
+      shell: rpm -qa epel-release
+      register: check_epel_release
+
     - name: Install epel-release
       package:
         name:
           - epel-release
         state: present
-      when: ansible_facts['distribution'] == "CentOS"
+      when: ( ansible_facts['distribution'] == "CentOS" and "epel" not in check_epel_release.stdout)
+
+    - name: Check if yara is installed
+      shell: rpm -qa yara
+      register: check_yara
 
     - name: Install Yara on CentOS
       package:
         name:
           - yara
         state: present
-      when: ansible_facts['distribution'] == "CentOS"
+      when: ( ansible_facts['distribution'] == "CentOS" and "yara" not in check_yara.stdout)
 
     - name: Create a directory to store malware
       file:
@@ -130,9 +138,13 @@
         group: wazuh
         mode: '0750'
 
+    - name: Check if jq is installed
+      shell: rpm -qa jq
+      register: check_jq
+
     - name: Install jq (JSON Processor) on CentOS
       package:
         name:
           - jq
         state: present
-      when: ansible_facts['distribution'] == "CentOS"
+      when: ( ansible_facts['distribution'] == "CentOS" and "jq" not in check_jq.stdout)
diff --git a/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml b/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml
@@ -4,7 +4,6 @@
   metadata:
     rule.id: 108001
     rule.level: 12
-    rule.description: 'File \"/tmp/yara/malware/mirai\" is a positive match. Yara rule: Mirai_Botnet_Malware_RID2EF6'
-    #extra_vars:
-    #  task_name: Run Yara scan
-    #  command: yara /tmp/yara/rules/yara_rules.yar /tmp/yara/malware/mirai
+    rule.description: 'File \\"/tmp/yara/malware/mirai\\" is a positive match. Yara rule: Mirai_Botnet_Malware_RID2EF6'
+    extra:
+      data.yara_rule: Mirai_Botnet_Malware_RID2EF6
diff --git a/tests/end_to_end/test_yara_integration/test_yara_integration.py b/tests/end_to_end/test_yara_integration/test_yara_integration.py
@@ -14,7 +14,7 @@
 test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data')
 test_cases_path = os.path.join(test_data_path, 'test_cases')
 test_cases_file_path = os.path.join(test_cases_path, 'cases_yara_integration.yaml')
-yara_script = os.path.join(test_data_path, 'configuration', 'yara_script.sh')
+yara_script = os.path.join(test_data_path, 'configuration', 'yara.sh')
 malware_downloader_script = os.path.join(test_data_path, 'configuration', 'malware_downloader.sh')
 alerts_json = os.path.join(gettempdir(), 'alerts.json')
 
@@ -35,12 +35,13 @@ def test_yara_integration(configure_environment, metadata, get_dashboard_credent
     rule_description = metadata['rule.description']
     rule_id = metadata['rule.id']
     rule_level = metadata['rule.level']
+    data_yara_rule = metadata['extra']['data.yara_rule']
     timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[\+|-]\d+'
 
     expected_alert_json = fr".+timestamp\":\"({timestamp_regex})\",.+level\":{rule_level}.+description\"" \
                           fr":\"{rule_description}.+id.+{rule_id}"
 
-    expected_indexed_alert = fr".+level.+{rule_level}.+description.+{rule_description}.+id.+{rule_id}.+" \
+    expected_indexed_alert = fr".+yara_rule\": \"{data_yara_rule}.+level.+{rule_level}.+id.+{rule_id}.+" \
                              fr"timestamp\": \"({timestamp_regex})\""
 
     query = e2e.make_query([
@@ -56,7 +57,7 @@ def test_yara_integration(configure_environment, metadata, get_dashboard_credent
         },
         {
           "term": {
-            "rule.description": f"{rule_description}"
+            "data.yara_rule": f"{data_yara_rule}"
           }
         }
     ])