On Thu, Dec 17, 2015 at 3:36 PM, Jon Schipp <[email protected]> wrote: > Hey all, my goal is to lookup the sha1 hash from the 550 syscheck alert in a > CDB database but I'm not having any luck. > I've tried the following things to get an alert to happen on a hash from the > 550 alert > > 1. Wrote a simple decoder to decode the sha1sum as the id field and then > look up the key in a CDB (see bottom of e-mail). I rebuilt the CDB files > after each change > > 2. Match the sha1sum from a 550 alert using <match> > > <rule id="110000" level="13"> > <if_sid>550</if_sid> > <match>b493df1da32686b27ec147987882c805d3ff6263</match> > <options>no_email_alert</options> > <description>Hash found</description> > </rule> > > 3. Match the sha1sum from a 550 alert using <id> (decoder is shown at bottom > of e-mail) > > <rule id="110001" level="14"> > <if_sid>550</if_sid> > <match>New sha1sum</match> > <decoded_as>integrity_new_hash</decoded_as> > <id>b493df1da32686b27ec147987882c805d3ff6263</id> > <options>no_email_alert</options> > <description>Hash found</description> > </rule> > > Regarding number 2.) I can <match> on the changed file (e.g. > <match>/etc/shadow</match>) from a 550 alert without problem so this leads > me to believe that it's not possible to match on hash from the alert > (hopefully instead I'm making a mistake) > > Here's an alert example alert that contains the hash in the rules above that > I'm trying to work with. > > ** Alert 1450383324.3842774: - ossec,syscheck, > 2015 Dec 17 20:15:24 (server2) 1.1.1.2 ->syscheck > Rule: 550 (level 7) -> 'Integrity checksum changed.' > Integrity checksum changed for: '/etc/sysconfig/sshd' > Size changed from '438' to '0' > Old sha1sum was: '95bb6b667f597ac3a9146c184865b2a3efe50047' > New sha1sum is : 'b493df1da32686b27ec147987882c805d3ff6263' # <--- this is > the hash I'm trying to match on in the rules above > > > I have a simple decoder that will put the sha1sum in the id file. > > <decoder name="integrity_new_hash"> > <prematch>New sha1sum is : |New md5sum is : </prematch> > </decoder> > > <decoder name="integrity_get_hash"> > <parent>integrity_new_hash</parent> > <regex offset="after_parent">'(\w+)'</regex> > <order>id</order> > </decoder> > > <rule id="110001" level="13"> > <if_sid>550</if_sid> > <match>sha1sum</match> > > <options>no_email_alert</options> > <description>Hash found in malware database!</description> > </rule> > > ossec-testrule: Type one log per line. > > New sha1sum is : 'b493df1da32686b27ec147987882c805d3ff6263' # <-- pasted > hash line > > > **Phase 1: Completed pre-decoding. > full event: 'New sha1sum is : > 'b493df1da32686b27ec147987882c805d3ff6263'' > hostname: 'ossec-sec' > program_name: '(null)' > log: 'New sha1sum is : 'b493df1da32686b27ec147987882c805d3ff6263'' > > **Phase 2: Completed decoding. > decoder: 'integrity_new_hash' > id: 'b493df1da32686b27ec147987882c805d3ff6263' # <--- yay, it's now > referenced as id. > > Any help is appreciated >
I think syscheck entries are decoded differently than most log messages. Check src/analysisd/decoders/syscheck.c. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
