Not sure why that is not working but, why did you create new decoders? You could probably use syscheck fields (as Dan mentioned), a good list can be found here:
http://ossec-docs.readthedocs.org/en/latest/formats/json.html On Mon, Dec 21, 2015 at 4:59 AM, dan (ddp) <[email protected]> wrote: > On Thu, Dec 17, 2015 at 3:36 PM, Jon Schipp <[email protected]> wrote: > > Hey all, my goal is to lookup the sha1 hash from the 550 syscheck alert > in a > > CDB database but I'm not having any luck. > > I've tried the following things to get an alert to happen on a hash from > the > > 550 alert > > > > 1. Wrote a simple decoder to decode the sha1sum as the id field and then > > look up the key in a CDB (see bottom of e-mail). I rebuilt the CDB files > > after each change > > > > 2. Match the sha1sum from a 550 alert using <match> > > > > <rule id="110000" level="13"> > > <if_sid>550</if_sid> > > <match>b493df1da32686b27ec147987882c805d3ff6263</match> > > <options>no_email_alert</options> > > <description>Hash found</description> > > </rule> > > > > 3. Match the sha1sum from a 550 alert using <id> (decoder is shown at > bottom > > of e-mail) > > > > <rule id="110001" level="14"> > > <if_sid>550</if_sid> > > <match>New sha1sum</match> > > <decoded_as>integrity_new_hash</decoded_as> > > <id>b493df1da32686b27ec147987882c805d3ff6263</id> > > <options>no_email_alert</options> > > <description>Hash found</description> > > </rule> > > > > Regarding number 2.) I can <match> on the changed file (e.g. > > <match>/etc/shadow</match>) from a 550 alert without problem so this > leads > > me to believe that it's not possible to match on hash from the alert > > (hopefully instead I'm making a mistake) > > > > Here's an alert example alert that contains the hash in the rules above > that > > I'm trying to work with. > > > > ** Alert 1450383324.3842774: - ossec,syscheck, > > 2015 Dec 17 20:15:24 (server2) 1.1.1.2 ->syscheck > > Rule: 550 (level 7) -> 'Integrity checksum changed.' > > Integrity checksum changed for: '/etc/sysconfig/sshd' > > Size changed from '438' to '0' > > Old sha1sum was: '95bb6b667f597ac3a9146c184865b2a3efe50047' > > New sha1sum is : 'b493df1da32686b27ec147987882c805d3ff6263' # <--- > this is > > the hash I'm trying to match on in the rules above > > > > > > I have a simple decoder that will put the sha1sum in the id file. > > > > <decoder name="integrity_new_hash"> > > <prematch>New sha1sum is : |New md5sum is : </prematch> > > </decoder> > > > > <decoder name="integrity_get_hash"> > > <parent>integrity_new_hash</parent> > > <regex offset="after_parent">'(\w+)'</regex> > > <order>id</order> > > </decoder> > > > > <rule id="110001" level="13"> > > <if_sid>550</if_sid> > > <match>sha1sum</match> > > > > <options>no_email_alert</options> > > <description>Hash found in malware database!</description> > > </rule> > > > > ossec-testrule: Type one log per line. > > > > New sha1sum is : 'b493df1da32686b27ec147987882c805d3ff6263' # <-- > pasted > > hash line > > > > > > **Phase 1: Completed pre-decoding. > > full event: 'New sha1sum is : > > 'b493df1da32686b27ec147987882c805d3ff6263'' > > hostname: 'ossec-sec' > > program_name: '(null)' > > log: 'New sha1sum is : 'b493df1da32686b27ec147987882c805d3ff6263'' > > > > **Phase 2: Completed decoding. > > decoder: 'integrity_new_hash' > > id: 'b493df1da32686b27ec147987882c805d3ff6263' # <--- yay, it's > now > > referenced as id. > > > > Any help is appreciated > > > > I think syscheck entries are decoded differently than most log > messages. Check src/analysisd/decoders/syscheck.c. > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
