I forgot to mention this earlier, shame on me
$ cat /etc/redhat-release
CentOS release 6.7 (Final)
$ uname -a
Linux ossec-sec.ncsa.illinois.edu 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug
13 22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/ossec-init.conf
DIRECTORY="/var/ossec"
VERSION="v2.8"
DATE="Wed Sep 9 18:07:24 UTC 2015"
TYPE="server"
I tried to replicate it by decoding the filename from a 550 alert and
matching against a CDB database where absolute paths of the file are the
key.
I'm not receiving any alerts with the configuration below.
** Alert 1450469527.2564989: - ossec,syscheck,
2015 Dec 18 20:12:07 (host1) 1.1.1.2->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
Integrity checksum changed for: '/etc/ssh/sshd_config'
Size changed from '2143' to '0'
Old sha1sum was: '5e11cd0f3f39b88753b347a5f0dcd8185edc6774'
New sha1sum is : 'facb11cea27790caac32d87f07c6b88812ccf52b'
# This alert happens immediately after which doesn't make sense to me..
** Alert 1450469527.2565356: - ossec,syscheck,
2015 Dec 18 20:12:07 (host1) 1.1.1.2->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
Integrity checksum changed for: '/etc/ssh/sshd_config'
Size changed from '0' to '2144'
<decoder name="integrity_new_file">
<prematch>Integrity checksum changed for: </prematch>
</decoder>
<decoder name="integrity_get_file">
<parent>integrity_new_file</parent>
<regex offset="after_parent">'(\S+\w)'</regex>
<order>url</order>
</decoder>
<rule id="110000" level="13">
<if_sid>550</if_sid>
<decoded_as>integrity_new_file</decoded_as>
<list field="url" lookup="match_key">lists/managed_files.list</list>
<description>File managed by puppet</description>
</rule>
<rule id="110002" level="13">
<if_sid>550</if_sid>
<decoded_as>integrity_new_file</decoded_as>
<list field="url" lookup="not_match_key">lists/managed_files.list</list>
<description>File not managed by puppet</description>
</rule>
$ /var/ossec/bin/ossec-logtest
Integrity checksum changed for: '/etc/ssh/sshd_config # <-- pasted line
...
**Phase 1: Completed pre-decoding.
full event: 'Integrity checksum changed for: '/etc/ssh/sshd_config''
hostname: 'ossec-sec'
program_name: '(null)'
log: 'Integrity checksum changed for: '/etc/ssh/sshd_config''
**Phase 2: Completed decoding.
decoder: 'integrity_new_file'
url: '/etc/ssh/sshd_config' # yay, filename is decoded as url
On Thursday, December 17, 2015 at 2:49:11 PM UTC-6, Jon Schipp wrote:
>
> Whoops, here's the rule for #1:
>
> <rule id="110002" level="13">
> <if_sid>550</if_sid>
> <decoded_as>integrity_new_hash</decoded_as>
> <list field="id" lookup="match_key">lists/hash.list</list>
> <description>Hash found</description>
> </rule>
>
> On Thursday, December 17, 2015 at 2:40:21 PM UTC-6, Jon Schipp wrote:
>>
>> Hey all, my goal is to lookup the sha1 hash from the 550 syscheck alert
>> in a CDB database but I'm not having any luck.
>> I've tried the following things to get an alert to happen on a hash from
>> the 550 alert
>>
>> 1. Wrote a simple decoder to decode the sha1sum as the id field and then
>> look up the key in a CDB (see bottom of e-mail). I rebuilt the CDB files
>> after each change
>>
>> 2. Match the sha1sum from a 550 alert using <match>
>>
>> <rule id="110000" level="13">
>> <if_sid>550</if_sid>
>> <match>b493df1da32686b27ec147987882c805d3ff6263</match>
>> <options>no_email_alert</options>
>> <description>Hash found</description>
>> </rule>
>>
>> 3. Match the sha1sum from a 550 alert using <id> (decoder is shown at
>> bottom of e-mail)
>>
>> <rule id="110001" level="14">
>> <if_sid>550</if_sid>
>> <match>New sha1sum</match>
>> <decoded_as>integrity_new_hash</decoded_as>
>> <id>b493df1da32686b27ec147987882c805d3ff6263</id>
>> <options>no_email_alert</options>
>> <description>Hash found</description>
>> </rule>
>>
>> Regarding number 2.) I can <match> on the changed file (e.g.
>> <match>/etc/shadow</match>) from a 550 alert without problem so this leads
>> me to believe that it's not possible to match on hash from the alert
>> (hopefully instead I'm making a mistake)
>>
>> Here's an alert example alert that contains the hash in the rules above
>> that I'm trying to work with.
>>
>> ** Alert 1450383324.3842774: - ossec,syscheck,
>> 2015 Dec 17 20:15:24 (server2) 1.1.1.2 ->syscheck
>> Rule: 550 (level 7) -> 'Integrity checksum changed.'
>> Integrity checksum changed for: '/etc/sysconfig/sshd'
>> Size changed from '438' to '0'
>> Old sha1sum was: '95bb6b667f597ac3a9146c184865b2a3efe50047'
>> New sha1sum is : 'b493df1da32686b27ec147987882c805d3ff6263' # <--- this
>> is the hash I'm trying to match on in the rules above
>>
>>
>> I have a simple decoder that will put the sha1sum in the id file.
>>
>> <decoder name="integrity_new_hash">
>> <prematch>New sha1sum is : |New md5sum is : </prematch>
>> </decoder>
>>
>> <decoder name="integrity_get_hash">
>> <parent>integrity_new_hash</parent>
>> <regex offset="after_parent">'(\w+)'</regex>
>> <order>id</order>
>> </decoder>
>>
>> <rule id="110001" level="13">
>> <if_sid>550</if_sid>
>> <match>sha1sum</match>
>>
>> <options>no_email_alert</options>
>> <description>Hash found in malware database!</description>
>> </rule>
>>
>> ossec-testrule: Type one log per line.
>>
>> New sha1sum is : 'b493df1da32686b27ec147987882c805d3ff6263' # <--
>> pasted hash line
>>
>>
>> **Phase 1: Completed pre-decoding.
>> full event: 'New sha1sum is :
>> 'b493df1da32686b27ec147987882c805d3ff6263''
>> hostname: 'ossec-sec'
>> program_name: '(null)'
>> log: 'New sha1sum is : 'b493df1da32686b27ec147987882c805d3ff6263''
>>
>> **Phase 2: Completed decoding.
>> decoder: 'integrity_new_hash'
>> id: 'b493df1da32686b27ec147987882c805d3ff6263' # <--- yay, it's
>> now referenced as id.
>>
>> Any help is appreciated
>>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
