That is the right branch. Yes, it does. It is fully compatible with standard OSSEC clients, you could upgrade just the Manager side.
Apply the patch by running: > patch -p0 < wazuh-master-md5dbchecksum-patch.patch BTW I am not sure but I assume you could use same patch for OSSEC master branch, I think there are some changed lines but you could try it. Regards, Pedro. On Thu, Mar 9, 2017 at 5:45 PM, BJ <b...@bjtaylor.net> wrote: > Awesome Pedro. > > I'll give this a try. Just for clarification, is this the correct Wazuh > master branch? https://github.com/wazuh/wazuh > > And do you know if it works with the standard ossec clients? Or will I > need to install new clients on my servers for this to work? > > Thanks, > BJ > > On Thursday, March 9, 2017 at 8:46:59 AM UTC-7, Pedro Sanchez wrote: >> >> Hi BJ, >> >> I did not know about that post, it looks great but it is a bit outdated. >> It helped me to add that functionality (code pieces) to Wazuh master >> branch. Wazuh is already working SQLite internally for some DB's (agent >> keys, syscheck data..) so the libraries are already compiled there. >> Everything is working on my labs as expected, every syscheck event is >> being checked against the Checksum DB created with the Python script, if >> there is a match, the alert won't be generated. >> >> I am attaching the patch and the Python script fixed (the one on the blog >> was not working). >> >> PS: I assume the errors you had were related to not compiling / including >> properly the SQLite libraries. >> >> Regards, >> Pedro Sanchez. >> >> On Thu, Mar 9, 2017 at 1:33 AM, BJ <b...@bjtaylor.net> wrote: >> >>> Thank you Pedro. That's good information. >>> >>> With that in mind, I've decided to give this a try: >>> https://blog.rootshell.be/2013/05/13/improving-file-int >>> egrity-monitoring-with-ossec/ >>> >>> Basically, he patched the code to make it look at a sqlite3 database >>> prior to alerting. >>> >>> Unfortunately, the code is a bit old, and I'm not sure he included all >>> of the steps. I couldn't use his patch because I wanted the latest code, so >>> I created my own based on his (attached). And although I have installed >>> libsqlite3-dev, it fails to compile. I keep getting the following, which >>> suggests it isn't pulling the code in from sqlite3.h for some reason. >>> >>> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:845: >>> undefined reference to `debug0' >>> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:849: >>> undefined reference to `sqlite3_open' >>> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:852: >>> undefined reference to `sqlite3_prepare_v2' >>> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:854: >>> undefined reference to `sqlite3_step' >>> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:859: >>> undefined reference to `sqlite3_finalize' >>> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:860: >>> undefined reference to `sqlite3_close' >>> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:861: >>> undefined reference to `debug0' >>> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:865: >>> undefined reference to `sqlite3_finalize' >>> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:866: >>> undefined reference to `sqlite3_close' >>> >>> Now, I haven't coded in C since.... high school? Like 20 years ago. I >>> remember some things, and have googled others, but I'm in over my head. I >>> can't seem to figure out how to fix this, or what I might have done wrong. >>> FYI, I'm on Ubuntu 16.04. >>> >>> If anyone could help me, I'd appreciate it. >>> >>> Thanks, >>> BJ >>> >>> On Wednesday, March 8, 2017 at 9:14:45 AM UTC-7, Pedro Sanchez wrote: >>> >>>> Hi, >>>> >>>> I like your intention to create a whitelist for checksum using CDB >>>> lists, I think it will be a great functionality. Unfortunately you won't be >>>> able to do it, since OSSEC lists does not allow to match using >>>> "syscheck.md5_after" field. >>>> You can check here the available fields for matching a CDB List: >>>> https://github.com/wazuh/wazuh/blob/master/src/analysisd/rules.c#L665 >>>> (srcip, srcport, dstip, dstport, user, url, id, hostname, program_name, >>>> status and action) >>>> >>>> Beside that, if somehow we add the funcionallity to match for that >>>> field, you could use a negative key match, adding the list sentence to >>>> syscheck rule 550. >>>> >>>> Negative key match: http://ossec-docs.readthedocs. >>>> io/en/latest/manual/rules-decoders/rule-lists.html#negative-key-match >>>> >>>> Rule 550 for syscheck integrity checksum changed, will trigger only if >>>> they md5 checksum is not present on the CDB list, how it would look like: >>>> >>>> <rule id="550" level="7"> >>>>> <category>ossec</category> >>>>> <decoded_as>syscheck_integrity_changed</decoded_as> >>>>> *<list field="syscheck.md5_after" >>>>> lookup="not_match_key">etc/lists/whitelist_md5</list>* >>>>> <description>Integrity checksum changed.</description> >>>>> <group>syscheck,pci_dss_11.5,</group> >>>>> </rule> >>>> >>>> >>>> *whitelist_md5* >>>> >>>> d41d8cd98f00b204e9800998ecf8427a:file1 >>>>> d41d8cd98f00b204e9800998ecf8427b:file2 >>>>> d41d8cd98f00b204e9800998ecf8427c:file3 >>>>> d41d8cd98f00b204e9800998ecf8427d:file4 >>>> >>>> >>>> ossec.conf >>>> >>>>> *<list>etc/lists/whitelist_md5</list>* >>>> >>>> >>>> *Compile CDB List* >>>> >>>>> /var/ossec/bin/ossec-makelists >>>> >>>> >>>> >>>> Maybe someone figure out a different way to do this. >>>> >>>> Regards, >>>> Pedro Sanchez. >>>> >>>> >>>> >>>> On Wed, Mar 8, 2017 at 1:13 AM, BJ <b...@bjtaylor.net> wrote: >>>> >>>>> I've seen the possibility mentioned in this forum a couple of times >>>>> regarding adding the ability to check an MD5sum CDB list with rules. Right >>>>> now, I'm in a situation where I could use that ability. However, I can't >>>>> see anywhere that describes how to use it. Was that ever implemented? >>>>> Frankly, I'm interested enough in this feature that I'd do it myself if I >>>>> could, but I don't know C/C++, and only do scripting in Python. >>>>> >>>>> I'm trying to monitor a web folder for changes, but of course I don't >>>>> want to be alerted on every file when a releases is done (they can be done >>>>> at any time of day too). I can get md5 sums of each of the files prior to >>>>> the release to whitelist them for ossec, but I can't seem to figure out >>>>> how >>>>> to tell ossec to use that database. Any help would be appreciated. >>>>> >>>>> Thanks. >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to ossec-list+...@googlegroups.com. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.