CYBERDUDEBIVASH Wazuh Ransomware Rules — v1.1 (Linux add-on + Active Response pack)

CYBERDUDEBIVASH Wazuh Ransomware Rules — v1.1 (Linux add-on + Active Response pack)All set. Grab the new bundle with Linux detections and ready-to-wire Active Response.

• v1.1 ZIP (full pack): Download
• Linux rules (XML only): cdb_wazuh_ransomware_rules_linux.xml
• Active-Response wiring (ossec.conf snippets): ossec_conf_active_response_snippets.xml
• README (v1.1): README_CyberDudeBivash_Wazuh_Ransomware_Rules_v1_1.txt

What’s new in v1.1

• ✅ Linux add-on rules (IDs 881100–881109): FIM bursts, ransom-note patterns, snapshot/backup tampering, crypto/archiver misuse, history clearing, bulk chmod/chattr, rclone/mega exfil, LVM snapshot removal, SSH key access bursts.
• ✅ Active Response pack(Windows + Linux):
  • kill-process.ps1 / kill-process.sh
  • isolate-host.ps1 (Windows Firewall) / isolate-host.sh (iptables)
• ✅ Drop-in ossec.conf snippets to wire commands + AR triggers to our rule IDs.

Install (quick)

1. Copy the two XML rules files into /var/ossec/etc/rules.d/ (or append to local_rules.xml).
2. Copy scripts from active_response/ to /var/ossec/active-response/bin/ (Linux scripts are already +x).
3. Merge the snippet into /var/ossec/etc/ossec.conf under <commands> and <active-response>.
4. Replace the placeholder Manager IP in the isolation scripts.
5. Restart Wazuh Manager/Agents.

Safety

• Test in a lab first. Start with kill-process only; enable isolation after verifying alerts to avoid disconnecting production hosts.