Hi BJ, I did not know about that post, it looks great but it is a bit outdated. It helped me to add that functionality (code pieces) to Wazuh master branch. Wazuh is already working SQLite internally for some DB's (agent keys, syscheck data..) so the libraries are already compiled there. Everything is working on my labs as expected, every syscheck event is being checked against the Checksum DB created with the Python script, if there is a match, the alert won't be generated.
I am attaching the patch and the Python script fixed (the one on the blog was not working). PS: I assume the errors you had were related to not compiling / including properly the SQLite libraries. Regards, Pedro Sanchez. On Thu, Mar 9, 2017 at 1:33 AM, BJ <b...@bjtaylor.net> wrote: > Thank you Pedro. That's good information. > > With that in mind, I've decided to give this a try: > https://blog.rootshell.be/2013/05/13/improving-file- > integrity-monitoring-with-ossec/ > > Basically, he patched the code to make it look at a sqlite3 database prior > to alerting. > > Unfortunately, the code is a bit old, and I'm not sure he included all of > the steps. I couldn't use his patch because I wanted the latest code, so I > created my own based on his (attached). And although I have installed > libsqlite3-dev, it fails to compile. I keep getting the following, which > suggests it isn't pulling the code in from sqlite3.h for some reason. > > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:845: > undefined reference to `debug0' > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:849: > undefined reference to `sqlite3_open' > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:852: > undefined reference to `sqlite3_prepare_v2' > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:854: > undefined reference to `sqlite3_step' > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:859: > undefined reference to `sqlite3_finalize' > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:860: > undefined reference to `sqlite3_close' > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:861: > undefined reference to `debug0' > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:865: > undefined reference to `sqlite3_finalize' > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:866: > undefined reference to `sqlite3_close' > > Now, I haven't coded in C since.... high school? Like 20 years ago. I > remember some things, and have googled others, but I'm in over my head. I > can't seem to figure out how to fix this, or what I might have done wrong. > FYI, I'm on Ubuntu 16.04. > > If anyone could help me, I'd appreciate it. > > Thanks, > BJ > > On Wednesday, March 8, 2017 at 9:14:45 AM UTC-7, Pedro Sanchez wrote: > >> Hi, >> >> I like your intention to create a whitelist for checksum using CDB lists, >> I think it will be a great functionality. Unfortunately you won't be able >> to do it, since OSSEC lists does not allow to match using >> "syscheck.md5_after" field. >> You can check here the available fields for matching a CDB List: >> https://github.com/wazuh/wazuh/blob/master/src/analysisd/rules.c#L665 >> (srcip, srcport, dstip, dstport, user, url, id, hostname, program_name, >> status and action) >> >> Beside that, if somehow we add the funcionallity to match for that field, >> you could use a negative key match, adding the list sentence to syscheck >> rule 550. >> >> Negative key match: http://ossec-docs.readthedocs. >> io/en/latest/manual/rules-decoders/rule-lists.html#negative-key-match >> >> Rule 550 for syscheck integrity checksum changed, will trigger only if >> they md5 checksum is not present on the CDB list, how it would look like: >> >> <rule id="550" level="7"> >>> <category>ossec</category> >>> <decoded_as>syscheck_integrity_changed</decoded_as> >>> *<list field="syscheck.md5_after" >>> lookup="not_match_key">etc/lists/whitelist_md5</list>* >>> <description>Integrity checksum changed.</description> >>> <group>syscheck,pci_dss_11.5,</group> >>> </rule> >> >> >> *whitelist_md5* >> >> d41d8cd98f00b204e9800998ecf8427a:file1 >>> d41d8cd98f00b204e9800998ecf8427b:file2 >>> d41d8cd98f00b204e9800998ecf8427c:file3 >>> d41d8cd98f00b204e9800998ecf8427d:file4 >> >> >> ossec.conf >> >>> *<list>etc/lists/whitelist_md5</list>* >> >> >> *Compile CDB List* >> >>> /var/ossec/bin/ossec-makelists >> >> >> >> Maybe someone figure out a different way to do this. >> >> Regards, >> Pedro Sanchez. >> >> >> >> On Wed, Mar 8, 2017 at 1:13 AM, BJ <b...@bjtaylor.net> wrote: >> >>> I've seen the possibility mentioned in this forum a couple of times >>> regarding adding the ability to check an MD5sum CDB list with rules. Right >>> now, I'm in a situation where I could use that ability. However, I can't >>> see anywhere that describes how to use it. Was that ever implemented? >>> Frankly, I'm interested enough in this feature that I'd do it myself if I >>> could, but I don't know C/C++, and only do scripting in Python. >>> >>> I'm trying to monitor a web folder for changes, but of course I don't >>> want to be alerted on every file when a releases is done (they can be done >>> at any time of day too). I can get md5 sums of each of the files prior to >>> the release to whitelist them for ossec, but I can't seem to figure out how >>> to tell ossec to use that database. Any help would be appreciated. >>> >>> Thanks. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
#!/usr/bin/python
import fnmatch
import os
import sqlite3
import signal
import sys
import os.path
def signal_handler(signal, frame):
print "Interrupted!"
if (conn):
conn.commit()
conn.close()
sys.exit(0)
signal.signal(signal.SIGINT, signal_handler)
conn = sqlite3.connect('/var/ossec/etc/md5db.db')
for file in os.listdir('/var/lib/dpkg/info'):
if fnmatch.fnmatch(file, '*.md5sums'):
c = conn.cursor()
f = open('/var/lib/dpkg/info/' + file, 'r')
l = f.readline()
while l:
array = l.split()
try:
c.execute('INSERT INTO files VALUES("' +
array[0] + '","' + array[1] + '",date("now"))')
except sqlite3.Error, e:
print "%s: %s" % (array[0], e.args[0])
l = f.readline()
conn.commit()
f.close()
conn.close()
wazuh-master-md5dbchecksum-patch.patch
Description: Binary data
