Hi Andy, You can look at the syscheck database and check for any file with that hash, but you can't setup syscheck to look directly for them.
For example, if I am looking for the hash of /bin/ls: # md5 /bin/ls MD5 (/bin/ls) = 0c10c7ad7fc0954fe9555b4b97189a7e # grep -r 0c10c7ad7fc0954fe9555b4b97189a7e /var/ossec/queue/syscheck/* /var/ossec/queue/syscheck/syscheck:+++170528:33133:0:7:0c10c7ad7fc0954fe9555b4b97189a7e:5c50d2ea78faaeb5867985a7d1ca2c6315b0da62 !1218131143 /bin/ls That should get you close. You can also setup a local rule, so that whenever a given hash is found, it will generate a high severity alert... <rule id=”100345″ level=”12″ > <if_matched_group>syscheck</if_matched_group> <description>Hash found.</description> <match>0c10c7ad7fc0954fe9555b4b97189a7e</match> </rule> Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Mon, Mar 16, 2009 at 12:55 PM, Andy Tripp <[email protected]> wrote: > Is it possible with Syscheck to scan for a certain hash value on a file in > Windows and alert if found? > > If so, can someone give me pointers?? > > > > Thanks, > > > > -Andy > > > > ________________________________ > CONFIDENTIALITY NOTICE: This correspondence, and all attachments transmitted > with it, may contain legally privileged and confidential information > intended solely for the use of the intended recipient. If the reader of this > message is not the intended recipient or the employee or agent responsible > to deliver it to the intended recipient, you are hereby notified that any > reading, dissemination, distribution, copying or other use of this > communication is strictly prohibited. If you have received this message in > error, please notify the sender immediately by telephone at 580.213.1730, or > by electronic mail [email protected], and delete this message and all > copies and backups thereof. Failure to comply with this confidentiality > notice may result in criminal or civil penalties and/or prosecution. >
