Ok, I understand it now. I thought size/permission changes would be a different rule, not 550.
Thanks! On Thu, Jan 15, 2015 at 4:27 PM, dan (ddp) <[email protected]> wrote: > On Thu, Jan 15, 2015 at 9:45 AM, Martin Kvocka <[email protected]> wrote: > > Yes, here are two: > > > > ** Alert 1421201008.92848: mail - ossec,syscheck, > > 2015 Jan 14 03:03:28 (hostname) a.b.c.d->syscheck > > Rule: 550 (level 7) -> 'Integrity checksum changed.' > > Integrity checksum changed for: 'C:\Program Files/Microsoft SQL > > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_130655447155770000.xel' > > Size changed from '465920' to '619520' > > > > ** Alert 1421236975.304052: mail - ossec,syscheck, > > 2015 Jan 14 13:02:55 (hostname) a.b.c.d->syscheck > > Rule: 550 (level 7) -> 'Integrity checksum changed.' > > Integrity checksum changed for: 'C:\Program Files/Microsoft SQL > > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_130655447155770000.xel' > > Size changed from '619520' to '773120' > > > > Checking the size is a different check than the checksum. If you just > want checksums, look at the check_all option in your <directories> > blocks. > > > Alert including hashes: > > > > ** Alert 1421237527.307675: mail - ossec,syscheck, > > 2015 Jan 14 13:12:07 (hostname) a.b.c.d->syscheck > > Rule: 550 (level 7) -> 'Integrity checksum changed.' > > Integrity checksum changed for: 'C:\Program Files/ESET/ESET File > > Security/em023_32.dat' > > Size changed from '4999753' to '4837924' > > Old md5sum was: 'b1cc041394714fa91d79ffb191f86e52' > > New md5sum is : '02bae5f0b36acaa39b894111efabb0f3' > > Old sha1sum was: '3a02dc803999a7e66304c0bf7d501ed3dad03f75' > > New sha1sum is : '99eb652ad7dd9e2c782c5599d1eaa5e3dc2078fb' > > > > > > > > On Thursday, January 15, 2015 at 2:19:26 PM UTC+1, dan (ddpbsd) wrote: > >> > >> On Thu, Jan 15, 2015 at 4:39 AM, Martin Kvocka <[email protected]> > wrote: > >> > I checked the alerts log and the hashes are not there. There are > however > >> > longer entries than these (f.e. registry keys) that include hashes. > >> > > >> > >> Can you provide an example of an alert that does not include the hash? > >> I've never seen that before. > >> > >> > I will, for now, assume that the hash is not computed as the file > >> > changes > >> > too often and will observe if other (standard) files report hashes > >> > correctly. > >> > > >> > >> The examples from the syscheck db have hashes. The hashes are being > >> computed. > >> > >> > Thanks for your help dan. > >> > > >> > On Wed, Jan 14, 2015 at 3:52 PM, dan (ddp) <[email protected]> wrote: > >> >> > >> >> On Wed, Jan 14, 2015 at 4:56 AM, Martin Kvocka <[email protected]> > >> >> wrote: > >> >> > Hi, > >> >> > > >> >> > I managed to get the samples. In manager syscheck queue I found the > >> >> > following: > >> >> > > >> >> > > >> >> > > >> >> > > #++0:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58 > >> >> > !1421093166 C:\Program Files/Microsoft SQL > >> >> > > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_130655447155770000.xel > >> >> > > >> >> > > >> >> > > #++312832:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58 > >> >> > !1421129146 C:\Program Files/Microsoft SQL > >> >> > > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_130655447155770000.xel > >> >> > > >> >> > > >> >> > > #!+465920:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58 > >> >> > !1421165040 C:\Program Files/Microsoft SQL > >> >> > > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_130655447155770000.xel > >> >> > > >> >> > > >> >> > > !!!619520:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58 > >> >> > !1421201008 C:\Program Files/Microsoft SQL > >> >> > > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_130655447155770000.xel > >> >> > > >> >> > And in logs: > >> >> > > >> >> > Jan 13 07:05:46 a.b.c.d ossec: Alert Level: 7; Rule: 550 - > Integrity > >> >> > checksum changed.; Location: (hostname) a.b.c.d->syscheck; > Integrity > >> >> > checksum changed for: 'C:\Program Files/Microsoft SQL > >> >> > > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_130655447155770000.xel' > >> >> > > >> >> > Jan 13 17:04:00 a.b.c.d ossec: Alert Level: 7; Rule: 550 - > Integrity > >> >> > checksum changed.; Location: (hostname) a.b.c.d->syscheck; > Integrity > >> >> > checksum changed for: 'C:\Program Files/Microsoft SQL > >> >> > > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_130655447155770000.xel' > >> >> > > >> >> > > >> >> > I just realized that the .xel file seems to be a log file and may > >> >> > change > >> >> > often - may this be the cause? > >> >> > > >> >> > >> >> The hashes are there in the syscheck db, but not in your syslog > >> >> messages. I'm guessing that adding the hashes makes the messages too > >> >> long so they were trimmed. You can check the alerts.log file for the > >> >> original alerts to see if the hashes are there. > >> >> > >> >> > Thanks, > >> >> > MK > >> >> > > >> >> > On Tuesday, January 13, 2015 at 3:43:21 PM UTC+1, dan (ddpbsd) > wrote: > >> >> >> > >> >> >> On Tue, Jan 13, 2015 at 9:40 AM, Martin Kvocka <[email protected]> > >> >> >> wrote: > >> >> >> > Hi, > >> >> >> > > >> >> >> > we have Ossec server/agents (2.7.0) for monitoring file > integrity. > >> >> >> > Both > >> >> >> > include check_all="yes" in their syscheck configurations. The > >> >> >> > agents > >> >> >> > work > >> >> >> > perfectly and report file changes including their old/current > MD5 > >> >> >> > and > >> >> >> > SHA1 > >> >> >> > hashes. However, logs from the Ossec server machine report only > >> >> >> > file > >> >> >> > changes, but don't include the hashes. > >> >> >> > > >> >> >> > Did any of you encounter this issue? How should I debug it? > >> >> >> > > >> >> >> > >> >> >> > >> >> >> Can you show us an example? > >> >> >> Do the hashes exist in the syscheck db for the manager? > >> >> >> > >> >> >> > Thanks > >> >> >> > > >> >> >> > -- > >> >> >> > > >> >> >> > --- > >> >> >> > You received this message because you are subscribed to the > Google > >> >> >> > Groups > >> >> >> > "ossec-list" group. > >> >> >> > To unsubscribe from this group and stop receiving emails from > it, > >> >> >> > send > >> >> >> > an > >> >> >> > email to [email protected]. > >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > >> >> -- > >> >> > >> >> --- > >> >> You received this message because you are subscribed to a topic in > the > >> >> Google Groups "ossec-list" group. > >> >> To unsubscribe from this topic, visit > >> >> https://groups.google.com/d/topic/ossec-list/RVTdJCErFSo/unsubscribe > . > >> >> To unsubscribe from this group and all its topics, send an email to > >> >> [email protected]. > >> >> For more options, visit https://groups.google.com/d/optout. > >> > > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/RVTdJCErFSo/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
