*Dear Wazuh Support,* *I'm using wazuh 3.2.1, and I found something weird in my wazuh alerts, which is, the hash value of the files on windows will change to a new value(indicates file change and alerts sent), just like below one:*
Wazuh Notification. 2018 Mar 20 20:26:19 Received From: (UAT-WEB) 10.30.100.90 ->syscheck Rule: 550 fired (level 7) -> "Integrity checksum changed." Portion of the log(s): Integrity checksum changed for: 'C:\Windows/SysNative/sethc.exe' Old md5sum was: 'ee69991dcea4ca4189f42deee5d7666a' New md5sum is : '6513d2da6c0e6d8e4dabc1e36839c4f2' Old sha1sum was: '167891d5ef9a442cce490e7e317bfd24a623ee12' New sha1sum is : '8038d752683eecb5c4d43ba9b68f0c4006095a20' *But after some time, the hash value would be switched back, which is really weird.* Wazuh Notification. 2018 Mar 20 21:28:52 Received From: (UAT-WEB) 10.30.100.90 ->syscheck Rule: 550 fired (level 7) -> "Integrity checksum changed." Portion of the log(s): Integrity checksum changed for: 'C:\Windows/SysNative/sethc.exe' Old md5sum was: '6513d2da6c0e6d8e4dabc1e36839c4f2' New md5sum is : 'ee69991dcea4ca4189f42deee5d7666a' Old sha1sum was: '8038d752683eecb5c4d43ba9b68f0c4006095a20' New sha1sum is : '167891d5ef9a442cce490e7e317bfd24a623ee12' * I checked manually on the server, the file was never touched and modified.* *As you can see in below picture, sethc.exe.1.jpg, file's create time, modify time all same.* <https://lh3.googleusercontent.com/-KpsbH45_HpQ/WrEr_2gsgkI/AAAAAAAAA6g/kvhMcArA-zgHmhJKgeNRuaQnBSA-iRrYwCLcBGAs/s1600/sethc.exe.1.jpg> *and I installed hash tab to check the hash value, we can see from below picture that MD5 value is ee69991dcea4ca4189f42deee5d7666a, which never changed.* <https://lh3.googleusercontent.com/-Jbk4E7iLV-k/WrEsKNVO5nI/AAAAAAAAA6k/Rt1v7CZ-GREr-Zboy6IuRI8s9t0dlMZsACLcBGAs/s1600/sethc.exe.2.jpg> *I tried to google, and seems there was a bug that should be fixed during ossec 2.9 (not quite remember the version), to read the files in binary mode or something, this should be included in wazuh right?* *Or if not, may i know if we can fix this manually? It's very weird and we can only use syscheck under mode checksize.* *Any suggestions would be appreciated.* Thank you very much. Regards, Neo -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
