Hi, I like your intention to create a whitelist for checksum using CDB lists, I think it will be a great functionality. Unfortunately you won't be able to do it, since OSSEC lists does not allow to match using "syscheck.md5_after" field. You can check here the available fields for matching a CDB List: https://github.com/wazuh/wazuh/blob/master/src/analysisd/rules.c#L665 (srcip, srcport, dstip, dstport, user, url, id, hostname, program_name, status and action)
Beside that, if somehow we add the funcionallity to match for that field, you could use a negative key match, adding the list sentence to syscheck rule 550. Negative key match: http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/rule-lists.html#negative-key-match Rule 550 for syscheck integrity checksum changed, will trigger only if they md5 checksum is not present on the CDB list, how it would look like: <rule id="550" level="7"> > <category>ossec</category> > <decoded_as>syscheck_integrity_changed</decoded_as> > *<list field="syscheck.md5_after" > lookup="not_match_key">etc/lists/whitelist_md5</list>* > <description>Integrity checksum changed.</description> > <group>syscheck,pci_dss_11.5,</group> > </rule> *whitelist_md5* d41d8cd98f00b204e9800998ecf8427a:file1 > d41d8cd98f00b204e9800998ecf8427b:file2 > d41d8cd98f00b204e9800998ecf8427c:file3 > d41d8cd98f00b204e9800998ecf8427d:file4 ossec.conf > *<list>etc/lists/whitelist_md5</list>* *Compile CDB List* > /var/ossec/bin/ossec-makelists Maybe someone figure out a different way to do this. Regards, Pedro Sanchez. On Wed, Mar 8, 2017 at 1:13 AM, BJ <b...@bjtaylor.net> wrote: > I've seen the possibility mentioned in this forum a couple of times > regarding adding the ability to check an MD5sum CDB list with rules. Right > now, I'm in a situation where I could use that ability. However, I can't > see anywhere that describes how to use it. Was that ever implemented? > Frankly, I'm interested enough in this feature that I'd do it myself if I > could, but I don't know C/C++, and only do scripting in Python. > > I'm trying to monitor a web folder for changes, but of course I don't want > to be alerted on every file when a releases is done (they can be done at > any time of day too). I can get md5 sums of each of the files prior to the > release to whitelist them for ossec, but I can't seem to figure out how to > tell ossec to use that database. Any help would be appreciated. > > Thanks. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
