Whoops, here's the rule for #1:
<rule id="110002" level="13">
<if_sid>550</if_sid>
<decoded_as>integrity_new_hash</decoded_as>
<list field="id" lookup="match_key">lists/hash.list</list>
<description>Hash found</description>
</rule>
On Thursday, December 17, 2015 at 2:40:21 PM UTC-6, Jon Schipp wrote:
>
> Hey all, my goal is to lookup the sha1 hash from the 550 syscheck alert in
> a CDB database but I'm not having any luck.
> I've tried the following things to get an alert to happen on a hash from
> the 550 alert
>
> 1. Wrote a simple decoder to decode the sha1sum as the id field and then
> look up the key in a CDB (see bottom of e-mail). I rebuilt the CDB files
> after each change
>
> 2. Match the sha1sum from a 550 alert using <match>
>
> <rule id="110000" level="13">
> <if_sid>550</if_sid>
> <match>b493df1da32686b27ec147987882c805d3ff6263</match>
> <options>no_email_alert</options>
> <description>Hash found</description>
> </rule>
>
> 3. Match the sha1sum from a 550 alert using <id> (decoder is shown at
> bottom of e-mail)
>
> <rule id="110001" level="14">
> <if_sid>550</if_sid>
> <match>New sha1sum</match>
> <decoded_as>integrity_new_hash</decoded_as>
> <id>b493df1da32686b27ec147987882c805d3ff6263</id>
> <options>no_email_alert</options>
> <description>Hash found</description>
> </rule>
>
> Regarding number 2.) I can <match> on the changed file (e.g.
> <match>/etc/shadow</match>) from a 550 alert without problem so this leads
> me to believe that it's not possible to match on hash from the alert
> (hopefully instead I'm making a mistake)
>
> Here's an alert example alert that contains the hash in the rules above
> that I'm trying to work with.
>
> ** Alert 1450383324.3842774: - ossec,syscheck,
> 2015 Dec 17 20:15:24 (server2) 1.1.1.2 ->syscheck
> Rule: 550 (level 7) -> 'Integrity checksum changed.'
> Integrity checksum changed for: '/etc/sysconfig/sshd'
> Size changed from '438' to '0'
> Old sha1sum was: '95bb6b667f597ac3a9146c184865b2a3efe50047'
> New sha1sum is : 'b493df1da32686b27ec147987882c805d3ff6263' # <--- this
> is the hash I'm trying to match on in the rules above
>
>
> I have a simple decoder that will put the sha1sum in the id file.
>
> <decoder name="integrity_new_hash">
> <prematch>New sha1sum is : |New md5sum is : </prematch>
> </decoder>
>
> <decoder name="integrity_get_hash">
> <parent>integrity_new_hash</parent>
> <regex offset="after_parent">'(\w+)'</regex>
> <order>id</order>
> </decoder>
>
> <rule id="110001" level="13">
> <if_sid>550</if_sid>
> <match>sha1sum</match>
>
> <options>no_email_alert</options>
> <description>Hash found in malware database!</description>
> </rule>
>
> ossec-testrule: Type one log per line.
>
> New sha1sum is : 'b493df1da32686b27ec147987882c805d3ff6263' # <-- pasted
> hash line
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'New sha1sum is :
> 'b493df1da32686b27ec147987882c805d3ff6263''
> hostname: 'ossec-sec'
> program_name: '(null)'
> log: 'New sha1sum is : 'b493df1da32686b27ec147987882c805d3ff6263''
>
> **Phase 2: Completed decoding.
> decoder: 'integrity_new_hash'
> id: 'b493df1da32686b27ec147987882c805d3ff6263' # <--- yay, it's
> now referenced as id.
>
> Any help is appreciated
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
