Hello kristian,
The nodiff the option is aimed to avoid data leaking by sending the content
of specific changes through alerts.
Consider the following example:
<directories report_changes="yes">/etc</directories>
<nodiff>/etc/ssl/private.key</nodiff>
Note the report_changesthat report registry value changes in the alert
Also, suppose we have an existing file /etc/ssl/testing.txt.
If we edit the private.key and the testing files the following alerts will
be created
** Alert 1664807851.34730775: -
ossec,syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2022 Oct 03 14:37:31 centos->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
File '/etc/ssl/private.key' modified
Mode: scheduled
Changed attributes: size,mtime,inode,md5,sha1,sha256
Size changed from '68' to '78'
Old modification time was: '1664807689', now it is '1664807829'
Old inode was: '8818156', now it is '8605059'
Old md5sum was: '657528c1553900b6b02ed8a290f462f3'
New md5sum is : '5427c98e148fac68e6de9cbe5bba2877'
Old sha1sum was: '911226b4935c3ea24b2a1c21e9818709dfa08d4a'
New sha1sum is : '202a3284e98eaba933ca7e2f6ced46f4619e808e'
Old sha256sum was:
'a242a73d099b26832256108081cec8b575cb34d9af9e0aeaea0c77a7579ae07a'
New sha256sum is :
'c7e3f9bd83b82fe7bb0f398e76321c2b5396615003bc718d22c7b489040396e1'
Attributes:
- Size: 78
- Permissions: rw-r--r--
- Date: Mon Oct 3 14:37:09 2022
- Inode: 8605059
- User: root (0)
- Group: root (0)
- MD5: 5427c98e148fac68e6de9cbe5bba2877
- SHA1: 202a3284e98eaba933ca7e2f6ced46f4619e808e
- SHA256: c7e3f9bd83b82fe7bb0f398e76321c2b5396615003bc718d22c7b489040396e1
What changed:
<Diff truncated because nodiff option>
** Alert 1664807851.34732106: -
ossec,syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2022 Oct 03 14:37:31 centos->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
File '/etc/ssl/testing.txt' modified
Mode: scheduled
Changed attributes: size,mtime,inode,md5,sha1,sha256
Size changed from '17' to '35'
Old modification time was: '1664807678', now it is '1664807850'
Old inode was: '8818158', now it is '8592715'
Old md5sum was: '95e8576dbe1d557372d14aa266a350a5'
New md5sum is : '6fe97e2b208af01442d25ce676662aa9'
Old sha1sum was: '29a9d2acd5924f4e73eacfc1e98727ef0d92d367'
New sha1sum is : 'e9d4b4efb4cf9a1ae9962a300cac22676b442a42'
Old sha256sum was:
'52e1a7c4ede52e6b53acbf872bc46161b46148bae562280a3df9f956f7ed4fd0'
New sha256sum is :
'a70486f87f7b62b8ba24b6e76e5241cd96d2dc62546ce565e99a5a2fa201613d'
Attributes:
- Size: 35
- Permissions: rw-r--r--
- Date: Mon Oct 3 14:37:30 2022
- Inode: 8592715
- User: root (0)
- Group: root (0)
- MD5: 6fe97e2b208af01442d25ce676662aa9
- SHA1: e9d4b4efb4cf9a1ae9962a300cac22676b442a42
- SHA256: a70486f87f7b62b8ba24b6e76e5241cd96d2dc62546ce565e99a5a2fa201613d
What changed:
2a3,4
> Testing3
> Testing4
Notice that the What changed is not shown for the private file.
Regarding the use of nodiff in directories, it is not possible because this
option is planned to use consciously in desired files. Consider one of the
following approach:
- Include a list of nodiff files
<nodiff>/etc/ssl/private.key</nodiff>
<nodiff>/etc/ssl/private.key2</nodiff>
...
- Change your default /etc configuration. Something like this will do
the job
<directories>/etc/</directories>
<directories report_changes="yes">other_paths</directories>
Regarding sregex, is faster than OS_Regex, but only supports simple string
matching and the following special characters. You can see more information
on this
<https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html#sregex-os-match-syntax>
documentation page
Al these examples have been run on Wazuh but should be similar in Ossec.
You can see more information about the project on the documentation page
<https://documentation.wazuh.com/current/index.html>
If you have any doubt do not hesitate to ask
-
On Thursday, August 25, 2022 at 3:51:31 PM UTC+1 [email protected]
wrote:
> Hello guys,
> Sorry for the newbie question but I'm looking for a configuration example
> to see how can I use nodiff with folders. For instance I want to exclude
> all the files in /etc, just for example.
>
> Beside that, "sregex" is confusing for me, what it means? Simple regex?
> Thanks a lot!
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/955ac05c-755c-43d0-852f-2d2f2ac54e04n%40googlegroups.com.
