Awesome Pedro. I'll give this a try. Just for clarification, is this the correct Wazuh master branch? https://github.com/wazuh/wazuh
And do you know if it works with the standard ossec clients? Or will I need to install new clients on my servers for this to work? Thanks, BJ On Thursday, March 9, 2017 at 8:46:59 AM UTC-7, Pedro Sanchez wrote: > > Hi BJ, > > I did not know about that post, it looks great but it is a bit outdated. > It helped me to add that functionality (code pieces) to Wazuh master > branch. Wazuh is already working SQLite internally for some DB's (agent > keys, syscheck data..) so the libraries are already compiled there. > Everything is working on my labs as expected, every syscheck event is > being checked against the Checksum DB created with the Python script, if > there is a match, the alert won't be generated. > > I am attaching the patch and the Python script fixed (the one on the blog > was not working). > > PS: I assume the errors you had were related to not compiling / including > properly the SQLite libraries. > > Regards, > Pedro Sanchez. > > On Thu, Mar 9, 2017 at 1:33 AM, BJ <b...@bjtaylor.net <javascript:>> > wrote: > >> Thank you Pedro. That's good information. >> >> With that in mind, I've decided to give this a try: >> https://blog.rootshell.be/2013/05/13/improving-file-integrity-monitoring-with-ossec/ >> >> Basically, he patched the code to make it look at a sqlite3 database >> prior to alerting. >> >> Unfortunately, the code is a bit old, and I'm not sure he included all of >> the steps. I couldn't use his patch because I wanted the latest code, so I >> created my own based on his (attached). And although I have installed >> libsqlite3-dev, it fails to compile. I keep getting the following, which >> suggests it isn't pulling the code in from sqlite3.h for some reason. >> >> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:845: >> undefined reference to `debug0' >> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:849: >> undefined reference to `sqlite3_open' >> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:852: >> undefined reference to `sqlite3_prepare_v2' >> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:854: >> undefined reference to `sqlite3_step' >> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:859: >> undefined reference to `sqlite3_finalize' >> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:860: >> undefined reference to `sqlite3_close' >> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:861: >> undefined reference to `debug0' >> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:865: >> undefined reference to `sqlite3_finalize' >> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:866: >> undefined reference to `sqlite3_close' >> >> Now, I haven't coded in C since.... high school? Like 20 years ago. I >> remember some things, and have googled others, but I'm in over my head. I >> can't seem to figure out how to fix this, or what I might have done wrong. >> FYI, I'm on Ubuntu 16.04. >> >> If anyone could help me, I'd appreciate it. >> >> Thanks, >> BJ >> >> On Wednesday, March 8, 2017 at 9:14:45 AM UTC-7, Pedro Sanchez wrote: >> >>> Hi, >>> >>> I like your intention to create a whitelist for checksum using CDB >>> lists, I think it will be a great functionality. Unfortunately you won't be >>> able to do it, since OSSEC lists does not allow to match using >>> "syscheck.md5_after" field. >>> You can check here the available fields for matching a CDB List: >>> https://github.com/wazuh/wazuh/blob/master/src/analysisd/rules.c#L665 >>> (srcip, srcport, dstip, dstport, user, url, id, hostname, program_name, >>> status and action) >>> >>> Beside that, if somehow we add the funcionallity to match for that >>> field, you could use a negative key match, adding the list sentence to >>> syscheck rule 550. >>> >>> Negative key match: >>> http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/rule-lists.html#negative-key-match >>> >>> Rule 550 for syscheck integrity checksum changed, will trigger only if >>> they md5 checksum is not present on the CDB list, how it would look like: >>> >>> <rule id="550" level="7"> >>>> <category>ossec</category> >>>> <decoded_as>syscheck_integrity_changed</decoded_as> >>>> *<list field="syscheck.md5_after" >>>> lookup="not_match_key">etc/lists/whitelist_md5</list>* >>>> <description>Integrity checksum changed.</description> >>>> <group>syscheck,pci_dss_11.5,</group> >>>> </rule> >>> >>> >>> *whitelist_md5* >>> >>> d41d8cd98f00b204e9800998ecf8427a:file1 >>>> d41d8cd98f00b204e9800998ecf8427b:file2 >>>> d41d8cd98f00b204e9800998ecf8427c:file3 >>>> d41d8cd98f00b204e9800998ecf8427d:file4 >>> >>> >>> ossec.conf >>> >>>> *<list>etc/lists/whitelist_md5</list>* >>> >>> >>> *Compile CDB List* >>> >>>> /var/ossec/bin/ossec-makelists >>> >>> >>> >>> Maybe someone figure out a different way to do this. >>> >>> Regards, >>> Pedro Sanchez. >>> >>> >>> >>> On Wed, Mar 8, 2017 at 1:13 AM, BJ <b...@bjtaylor.net> wrote: >>> >>>> I've seen the possibility mentioned in this forum a couple of times >>>> regarding adding the ability to check an MD5sum CDB list with rules. Right >>>> now, I'm in a situation where I could use that ability. However, I can't >>>> see anywhere that describes how to use it. Was that ever implemented? >>>> Frankly, I'm interested enough in this feature that I'd do it myself if I >>>> could, but I don't know C/C++, and only do scripting in Python. >>>> >>>> I'm trying to monitor a web folder for changes, but of course I don't >>>> want to be alerted on every file when a releases is done (they can be done >>>> at any time of day too). I can get md5 sums of each of the files prior to >>>> the release to whitelist them for ossec, but I can't seem to figure out >>>> how >>>> to tell ossec to use that database. Any help would be appreciated. >>>> >>>> Thanks. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ossec-list+...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
