Hey all, my goal is to lookup the sha1 hash from the 550 syscheck alert in
a CDB database but I'm not having any luck.
I've tried the following things to get an alert to happen on a hash from
the 550 alert
1. Wrote a simple decoder to decode the sha1sum as the id field and then
look up the key in a CDB (see bottom of e-mail). I rebuilt the CDB files
after each change
2. Match the sha1sum from a 550 alert using <match>
<rule id="110000" level="13">
<if_sid>550</if_sid>
<match>b493df1da32686b27ec147987882c805d3ff6263</match>
<options>no_email_alert</options>
<description>Hash found</description>
</rule>
3. Match the sha1sum from a 550 alert using <id> (decoder is shown at
bottom of e-mail)
<rule id="110001" level="14">
<if_sid>550</if_sid>
<match>New sha1sum</match>
<decoded_as>integrity_new_hash</decoded_as>
<id>b493df1da32686b27ec147987882c805d3ff6263</id>
<options>no_email_alert</options>
<description>Hash found</description>
</rule>
Regarding number 2.) I can <match> on the changed file (e.g.
<match>/etc/shadow</match>) from a 550 alert without problem so this leads
me to believe that it's not possible to match on hash from the alert
(hopefully instead I'm making a mistake)
Here's an alert example alert that contains the hash in the rules above
that I'm trying to work with.
** Alert 1450383324.3842774: - ossec,syscheck,
2015 Dec 17 20:15:24 (server2) 1.1.1.2 ->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
Integrity checksum changed for: '/etc/sysconfig/sshd'
Size changed from '438' to '0'
Old sha1sum was: '95bb6b667f597ac3a9146c184865b2a3efe50047'
New sha1sum is : 'b493df1da32686b27ec147987882c805d3ff6263' # <--- this
is the hash I'm trying to match on in the rules above
I have a simple decoder that will put the sha1sum in the id file.
<decoder name="integrity_new_hash">
<prematch>New sha1sum is : |New md5sum is : </prematch>
</decoder>
<decoder name="integrity_get_hash">
<parent>integrity_new_hash</parent>
<regex offset="after_parent">'(\w+)'</regex>
<order>id</order>
</decoder>
<rule id="110001" level="13">
<if_sid>550</if_sid>
<match>sha1sum</match>
<options>no_email_alert</options>
<description>Hash found in malware database!</description>
</rule>
ossec-testrule: Type one log per line.
New sha1sum is : 'b493df1da32686b27ec147987882c805d3ff6263' # <-- pasted
hash line
**Phase 1: Completed pre-decoding.
full event: 'New sha1sum is :
'b493df1da32686b27ec147987882c805d3ff6263''
hostname: 'ossec-sec'
program_name: '(null)'
log: 'New sha1sum is : 'b493df1da32686b27ec147987882c805d3ff6263''
**Phase 2: Completed decoding.
decoder: 'integrity_new_hash'
id: 'b493df1da32686b27ec147987882c805d3ff6263' # <--- yay, it's now
referenced as id.
Any help is appreciated
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
