Re: [ossec-list] CDB Lists and MD5 checksums
Hi BJ, Happy to know, I hope it be working well, all the credits to Xavier and his post at: https://blog.rootshell.be/2013/05/13/improving-file-integrity-monitoring-with-ossec/ . Probably the error you were getting was related to ossec.conf XML tags. I think Dan is integrating the same functionality in OSSEC, maybe you could use that PR: https://github.com/ossec/ossec-hids/pull/1091 Best regards, Pedro 'snaow' Sanchez. On Fri, Mar 10, 2017 at 11:26 PM, BJ wrote: > Ok, I started over from scratch, and I must have copied over a config file > from my other server. I think we're good now. I'll let you know if I get > this completely up and running. > > BJ > > > On Friday, March 10, 2017 at 1:29:23 PM UTC-7, BJ wrote: >> >> Ok, I have more information now. By trial and error, I've discovered that >> the patch we used must have messed up something with the rule parsing. Only >> by entirely removing the and everything in it could I get >> ossec to start. Obviously... that's not a good solution. :-) I'll start >> looking at your patch and seeing if I can see any reason why it would be >> doing this, but again, when it comes this code, I'm in over my head, so any >> help is appreciated. >> >> Thanks, >> BJ >> >> On Friday, March 10, 2017 at 11:28:42 AM UTC-7, BJ wrote: >>> >>> So... this time it compiled great, which was the issue I was having >>> before. But now, when I go to start it, I get the following: >>> >>> OSSEC analysisd: Testing rules failed. Configuration error. Exiting. >>> >>> >>> When I look in the logs, I get see the following: >>> >>> 2017/03/10 11:11:16 ossec-testrule(1230): ERROR: Invalid element in the configuration: 'rules'. 2017/03/10 11:11:16 ossec-testrule(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. 2017/03/10 11:11:16 ossec-testrule(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. >>> >>> >>> At this point, I'm using the default ossec.conf file, and I can't see >>> any issues in that file for the life of me (using XML viewer as well). >>> Normally, I'd turn the logging verbosity up at this point, but if it can't >>> even parse the conf file, I'm not sure that will work. I also compared this >>> config to the list of rules in the folder, and against another config I >>> have running. How can I dig into this further? (My ossec.conf file is >>> attached if you are curious.) >>> >>> Thanks again, >>> BJ >>> >>> On Thursday, March 9, 2017 at 10:02:42 AM UTC-7, Pedro Sanchez wrote: That is the right branch. Yes, it does. It is fully compatible with standard OSSEC clients, you could upgrade just the Manager side. Apply the patch by running: > patch -p0 < wazuh-master-md5dbchecksum-patch.patch BTW I am not sure but I assume you could use same patch for OSSEC master branch, I think there are some changed lines but you could try it. Regards, Pedro. On Thu, Mar 9, 2017 at 5:45 PM, BJ wrote: > Awesome Pedro. > > I'll give this a try. Just for clarification, is this the correct > Wazuh master branch? https://github.com/wazuh/wazuh > > And do you know if it works with the standard ossec clients? Or will I > need to install new clients on my servers for this to work? > > Thanks, > BJ > > On Thursday, March 9, 2017 at 8:46:59 AM UTC-7, Pedro Sanchez wrote: >> >> Hi BJ, >> >> I did not know about that post, it looks great but it is a bit >> outdated. >> It helped me to add that functionality (code pieces) to Wazuh master >> branch. Wazuh is already working SQLite internally for some DB's (agent >> keys, syscheck data..) so the libraries are already compiled there. >> Everything is working on my labs as expected, every syscheck event is >> being checked against the Checksum DB created with the Python script, if >> there is a match, the alert won't be generated. >> >> I am attaching the patch and the Python script fixed (the one on the >> blog was not working). >> >> PS: I assume the errors you had were related to not compiling / >> including properly the SQLite libraries. >> >> Regards, >> Pedro Sanchez. >> >> On Thu, Mar 9, 2017 at 1:33 AM, BJ wrote: >> >>> Thank you Pedro. That's good information. >>> >>> With that in mind, I've decided to give this a try: >>> https://blog.rootshell.be/2013/05/13/improving-file-int >>> egrity-monitoring-with-ossec/ >>> >>> Basically, he patched the code to make it look at a sqlite3 database >>> prior to alerting. >>> >>> Unfortunately, the code is a bit old, and I'm not sure he included >>> all of the steps. I couldn't use his patch because I wanted the latest >>> code, so I created my own based on his (attached). And although I have >>> installed libsqlite3-dev, it fails to compile. I keep getting the
Re: [ossec-list] CDB Lists and MD5 checksums
Ok, I started over from scratch, and I must have copied over a config file from my other server. I think we're good now. I'll let you know if I get this completely up and running. BJ On Friday, March 10, 2017 at 1:29:23 PM UTC-7, BJ wrote: > > Ok, I have more information now. By trial and error, I've discovered that > the patch we used must have messed up something with the rule parsing. Only > by entirely removing the and everything in it could I get > ossec to start. Obviously... that's not a good solution. :-) I'll start > looking at your patch and seeing if I can see any reason why it would be > doing this, but again, when it comes this code, I'm in over my head, so any > help is appreciated. > > Thanks, > BJ > > On Friday, March 10, 2017 at 11:28:42 AM UTC-7, BJ wrote: >> >> So... this time it compiled great, which was the issue I was having >> before. But now, when I go to start it, I get the following: >> >> OSSEC analysisd: Testing rules failed. Configuration error. Exiting. >> >> >> When I look in the logs, I get see the following: >> >> 2017/03/10 11:11:16 ossec-testrule(1230): ERROR: Invalid element in the >>> configuration: 'rules'. >>> 2017/03/10 11:11:16 ossec-testrule(1202): ERROR: Configuration error at >>> '/var/ossec/etc/ossec.conf'. Exiting. >>> 2017/03/10 11:11:16 ossec-testrule(1202): ERROR: Configuration error at >>> '/var/ossec/etc/ossec.conf'. Exiting. >> >> >> At this point, I'm using the default ossec.conf file, and I can't see any >> issues in that file for the life of me (using XML viewer as well). >> Normally, I'd turn the logging verbosity up at this point, but if it can't >> even parse the conf file, I'm not sure that will work. I also compared this >> config to the list of rules in the folder, and against another config I >> have running. How can I dig into this further? (My ossec.conf file is >> attached if you are curious.) >> >> Thanks again, >> BJ >> >> On Thursday, March 9, 2017 at 10:02:42 AM UTC-7, Pedro Sanchez wrote: >>> >>> That is the right branch. >>> >>> Yes, it does. It is fully compatible with standard OSSEC clients, you >>> could upgrade just the Manager side. >>> >>> Apply the patch by running: >>> patch -p0 < wazuh-master-md5dbchecksum-patch.patch >>> >>> >>> BTW I am not sure but I assume you could use same patch for OSSEC master >>> branch, I think there are some changed lines but you could try it. >>> >>> Regards, >>> Pedro. >>> >>> On Thu, Mar 9, 2017 at 5:45 PM, BJ wrote: >>> Awesome Pedro. I'll give this a try. Just for clarification, is this the correct Wazuh master branch? https://github.com/wazuh/wazuh And do you know if it works with the standard ossec clients? Or will I need to install new clients on my servers for this to work? Thanks, BJ On Thursday, March 9, 2017 at 8:46:59 AM UTC-7, Pedro Sanchez wrote: > > Hi BJ, > > I did not know about that post, it looks great but it is a bit > outdated. > It helped me to add that functionality (code pieces) to Wazuh master > branch. Wazuh is already working SQLite internally for some DB's (agent > keys, syscheck data..) so the libraries are already compiled there. > Everything is working on my labs as expected, every syscheck event is > being checked against the Checksum DB created with the Python script, if > there is a match, the alert won't be generated. > > I am attaching the patch and the Python script fixed (the one on the > blog was not working). > > PS: I assume the errors you had were related to not compiling / > including properly the SQLite libraries. > > Regards, > Pedro Sanchez. > > On Thu, Mar 9, 2017 at 1:33 AM, BJ wrote: > >> Thank you Pedro. That's good information. >> >> With that in mind, I've decided to give this a try: >> https://blog.rootshell.be/2013/05/13/improving-file-integrity-monitoring-with-ossec/ >> >> Basically, he patched the code to make it look at a sqlite3 database >> prior to alerting. >> >> Unfortunately, the code is a bit old, and I'm not sure he included >> all of the steps. I couldn't use his patch because I wanted the latest >> code, so I created my own based on his (attached). And although I have >> installed libsqlite3-dev, it fails to compile. I keep getting the >> following, which suggests it isn't pulling the code in from sqlite3.h >> for >> some reason. >> >> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:845: >> undefined reference to `debug0' >> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:849: >> undefined reference to `sqlite3_open' >> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:852: >> undefined reference to `sqlite3_prepare_v2' >> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:854:
Re: [ossec-list] CDB Lists and MD5 checksums
Ok, I have more information now. By trial and error, I've discovered that the patch we used must have messed up something with the rule parsing. Only by entirely removing the and everything in it could I get ossec to start. Obviously... that's not a good solution. :-) I'll start looking at your patch and seeing if I can see any reason why it would be doing this, but again, when it comes this code, I'm in over my head, so any help is appreciated. Thanks, BJ On Friday, March 10, 2017 at 11:28:42 AM UTC-7, BJ wrote: > > So... this time it compiled great, which was the issue I was having > before. But now, when I go to start it, I get the following: > > OSSEC analysisd: Testing rules failed. Configuration error. Exiting. > > > When I look in the logs, I get see the following: > > 2017/03/10 11:11:16 ossec-testrule(1230): ERROR: Invalid element in the >> configuration: 'rules'. >> 2017/03/10 11:11:16 ossec-testrule(1202): ERROR: Configuration error at >> '/var/ossec/etc/ossec.conf'. Exiting. >> 2017/03/10 11:11:16 ossec-testrule(1202): ERROR: Configuration error at >> '/var/ossec/etc/ossec.conf'. Exiting. > > > At this point, I'm using the default ossec.conf file, and I can't see any > issues in that file for the life of me (using XML viewer as well). > Normally, I'd turn the logging verbosity up at this point, but if it can't > even parse the conf file, I'm not sure that will work. I also compared this > config to the list of rules in the folder, and against another config I > have running. How can I dig into this further? (My ossec.conf file is > attached if you are curious.) > > Thanks again, > BJ > > On Thursday, March 9, 2017 at 10:02:42 AM UTC-7, Pedro Sanchez wrote: >> >> That is the right branch. >> >> Yes, it does. It is fully compatible with standard OSSEC clients, you >> could upgrade just the Manager side. >> >> Apply the patch by running: >> >>> patch -p0 < wazuh-master-md5dbchecksum-patch.patch >> >> >> BTW I am not sure but I assume you could use same patch for OSSEC master >> branch, I think there are some changed lines but you could try it. >> >> Regards, >> Pedro. >> >> On Thu, Mar 9, 2017 at 5:45 PM, BJ wrote: >> >>> Awesome Pedro. >>> >>> I'll give this a try. Just for clarification, is this the correct Wazuh >>> master branch? https://github.com/wazuh/wazuh >>> >>> And do you know if it works with the standard ossec clients? Or will I >>> need to install new clients on my servers for this to work? >>> >>> Thanks, >>> BJ >>> >>> On Thursday, March 9, 2017 at 8:46:59 AM UTC-7, Pedro Sanchez wrote: Hi BJ, I did not know about that post, it looks great but it is a bit outdated. It helped me to add that functionality (code pieces) to Wazuh master branch. Wazuh is already working SQLite internally for some DB's (agent keys, syscheck data..) so the libraries are already compiled there. Everything is working on my labs as expected, every syscheck event is being checked against the Checksum DB created with the Python script, if there is a match, the alert won't be generated. I am attaching the patch and the Python script fixed (the one on the blog was not working). PS: I assume the errors you had were related to not compiling / including properly the SQLite libraries. Regards, Pedro Sanchez. On Thu, Mar 9, 2017 at 1:33 AM, BJ wrote: > Thank you Pedro. That's good information. > > With that in mind, I've decided to give this a try: > https://blog.rootshell.be/2013/05/13/improving-file-integrity-monitoring-with-ossec/ > > Basically, he patched the code to make it look at a sqlite3 database > prior to alerting. > > Unfortunately, the code is a bit old, and I'm not sure he included all > of the steps. I couldn't use his patch because I wanted the latest code, > so > I created my own based on his (attached). And although I have installed > libsqlite3-dev, it fails to compile. I keep getting the following, which > suggests it isn't pulling the code in from sqlite3.h for some reason. > > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:845: > undefined reference to `debug0' > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:849: > undefined reference to `sqlite3_open' > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:852: > undefined reference to `sqlite3_prepare_v2' > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:854: > undefined reference to `sqlite3_step' > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:859: > undefined reference to `sqlite3_finalize' > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:860: > undefined reference to `sqlite3_close' > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:861: > undefine
Re: [ossec-list] CDB Lists and MD5 checksums
So... this time it compiled great, which was the issue I was having before. But now, when I go to start it, I get the following: OSSEC analysisd: Testing rules failed. Configuration error. Exiting. When I look in the logs, I get see the following: 2017/03/10 11:11:16 ossec-testrule(1230): ERROR: Invalid element in the > configuration: 'rules'. > 2017/03/10 11:11:16 ossec-testrule(1202): ERROR: Configuration error at > '/var/ossec/etc/ossec.conf'. Exiting. > 2017/03/10 11:11:16 ossec-testrule(1202): ERROR: Configuration error at > '/var/ossec/etc/ossec.conf'. Exiting. At this point, I'm using the default ossec.conf file, and I can't see any issues in that file for the life of me (using XML viewer as well). Normally, I'd turn the logging verbosity up at this point, but if it can't even parse the conf file, I'm not sure that will work. I also compared this config to the list of rules in the folder, and against another config I have running. How can I dig into this further? (My ossec.conf file is attached if you are curious.) Thanks again, BJ On Thursday, March 9, 2017 at 10:02:42 AM UTC-7, Pedro Sanchez wrote: > > That is the right branch. > > Yes, it does. It is fully compatible with standard OSSEC clients, you > could upgrade just the Manager side. > > Apply the patch by running: > >> patch -p0 < wazuh-master-md5dbchecksum-patch.patch > > > BTW I am not sure but I assume you could use same patch for OSSEC master > branch, I think there are some changed lines but you could try it. > > Regards, > Pedro. > > On Thu, Mar 9, 2017 at 5:45 PM, BJ > > wrote: > >> Awesome Pedro. >> >> I'll give this a try. Just for clarification, is this the correct Wazuh >> master branch? https://github.com/wazuh/wazuh >> >> And do you know if it works with the standard ossec clients? Or will I >> need to install new clients on my servers for this to work? >> >> Thanks, >> BJ >> >> On Thursday, March 9, 2017 at 8:46:59 AM UTC-7, Pedro Sanchez wrote: >>> >>> Hi BJ, >>> >>> I did not know about that post, it looks great but it is a bit outdated. >>> It helped me to add that functionality (code pieces) to Wazuh master >>> branch. Wazuh is already working SQLite internally for some DB's (agent >>> keys, syscheck data..) so the libraries are already compiled there. >>> Everything is working on my labs as expected, every syscheck event is >>> being checked against the Checksum DB created with the Python script, if >>> there is a match, the alert won't be generated. >>> >>> I am attaching the patch and the Python script fixed (the one on the >>> blog was not working). >>> >>> PS: I assume the errors you had were related to not compiling / >>> including properly the SQLite libraries. >>> >>> Regards, >>> Pedro Sanchez. >>> >>> On Thu, Mar 9, 2017 at 1:33 AM, BJ wrote: >>> Thank you Pedro. That's good information. With that in mind, I've decided to give this a try: https://blog.rootshell.be/2013/05/13/improving-file-integrity-monitoring-with-ossec/ Basically, he patched the code to make it look at a sqlite3 database prior to alerting. Unfortunately, the code is a bit old, and I'm not sure he included all of the steps. I couldn't use his patch because I wanted the latest code, so I created my own based on his (attached). And although I have installed libsqlite3-dev, it fails to compile. I keep getting the following, which suggests it isn't pulling the code in from sqlite3.h for some reason. /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:845: undefined reference to `debug0' /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:849: undefined reference to `sqlite3_open' /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:852: undefined reference to `sqlite3_prepare_v2' /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:854: undefined reference to `sqlite3_step' /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:859: undefined reference to `sqlite3_finalize' /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:860: undefined reference to `sqlite3_close' /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:861: undefined reference to `debug0' /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:865: undefined reference to `sqlite3_finalize' /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:866: undefined reference to `sqlite3_close' Now, I haven't coded in C since high school? Like 20 years ago. I remember some things, and have googled others, but I'm in over my head. I can't seem to figure out how to fix this, or what I might have done wrong. FYI, I'm on Ubuntu 16.04. If anyone could help me, I'd appreciate it. Thanks, BJ On Wednesday, Marc
Re: [ossec-list] CDB Lists and MD5 checksums
That is the right branch. Yes, it does. It is fully compatible with standard OSSEC clients, you could upgrade just the Manager side. Apply the patch by running: > patch -p0 < wazuh-master-md5dbchecksum-patch.patch BTW I am not sure but I assume you could use same patch for OSSEC master branch, I think there are some changed lines but you could try it. Regards, Pedro. On Thu, Mar 9, 2017 at 5:45 PM, BJ wrote: > Awesome Pedro. > > I'll give this a try. Just for clarification, is this the correct Wazuh > master branch? https://github.com/wazuh/wazuh > > And do you know if it works with the standard ossec clients? Or will I > need to install new clients on my servers for this to work? > > Thanks, > BJ > > On Thursday, March 9, 2017 at 8:46:59 AM UTC-7, Pedro Sanchez wrote: >> >> Hi BJ, >> >> I did not know about that post, it looks great but it is a bit outdated. >> It helped me to add that functionality (code pieces) to Wazuh master >> branch. Wazuh is already working SQLite internally for some DB's (agent >> keys, syscheck data..) so the libraries are already compiled there. >> Everything is working on my labs as expected, every syscheck event is >> being checked against the Checksum DB created with the Python script, if >> there is a match, the alert won't be generated. >> >> I am attaching the patch and the Python script fixed (the one on the blog >> was not working). >> >> PS: I assume the errors you had were related to not compiling / including >> properly the SQLite libraries. >> >> Regards, >> Pedro Sanchez. >> >> On Thu, Mar 9, 2017 at 1:33 AM, BJ wrote: >> >>> Thank you Pedro. That's good information. >>> >>> With that in mind, I've decided to give this a try: >>> https://blog.rootshell.be/2013/05/13/improving-file-int >>> egrity-monitoring-with-ossec/ >>> >>> Basically, he patched the code to make it look at a sqlite3 database >>> prior to alerting. >>> >>> Unfortunately, the code is a bit old, and I'm not sure he included all >>> of the steps. I couldn't use his patch because I wanted the latest code, so >>> I created my own based on his (attached). And although I have installed >>> libsqlite3-dev, it fails to compile. I keep getting the following, which >>> suggests it isn't pulling the code in from sqlite3.h for some reason. >>> >>> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:845: >>> undefined reference to `debug0' >>> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:849: >>> undefined reference to `sqlite3_open' >>> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:852: >>> undefined reference to `sqlite3_prepare_v2' >>> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:854: >>> undefined reference to `sqlite3_step' >>> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:859: >>> undefined reference to `sqlite3_finalize' >>> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:860: >>> undefined reference to `sqlite3_close' >>> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:861: >>> undefined reference to `debug0' >>> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:865: >>> undefined reference to `sqlite3_finalize' >>> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:866: >>> undefined reference to `sqlite3_close' >>> >>> Now, I haven't coded in C since high school? Like 20 years ago. I >>> remember some things, and have googled others, but I'm in over my head. I >>> can't seem to figure out how to fix this, or what I might have done wrong. >>> FYI, I'm on Ubuntu 16.04. >>> >>> If anyone could help me, I'd appreciate it. >>> >>> Thanks, >>> BJ >>> >>> On Wednesday, March 8, 2017 at 9:14:45 AM UTC-7, Pedro Sanchez wrote: >>> Hi, I like your intention to create a whitelist for checksum using CDB lists, I think it will be a great functionality. Unfortunately you won't be able to do it, since OSSEC lists does not allow to match using "syscheck.md5_after" field. You can check here the available fields for matching a CDB List: https://github.com/wazuh/wazuh/blob/master/src/analysisd/rules.c#L665 (srcip, srcport, dstip, dstport, user, url, id, hostname, program_name, status and action) Beside that, if somehow we add the funcionallity to match for that field, you could use a negative key match, adding the list sentence to syscheck rule 550. Negative key match: http://ossec-docs.readthedocs. io/en/latest/manual/rules-decoders/rule-lists.html#negative-key-match Rule 550 for syscheck integrity checksum changed, will trigger only if they md5 checksum is not present on the CDB list, how it would look like: > ossec > syscheck_integrity_changed > * lookup="not_match_key">etc/lists/whitelist_md5* > Integrity checksum changed. > syscheck,pci_dss_11.5, > *whitelist_md5* d41d8cd98f00b204e
Re: [ossec-list] CDB Lists and MD5 checksums
Awesome Pedro. I'll give this a try. Just for clarification, is this the correct Wazuh master branch? https://github.com/wazuh/wazuh And do you know if it works with the standard ossec clients? Or will I need to install new clients on my servers for this to work? Thanks, BJ On Thursday, March 9, 2017 at 8:46:59 AM UTC-7, Pedro Sanchez wrote: > > Hi BJ, > > I did not know about that post, it looks great but it is a bit outdated. > It helped me to add that functionality (code pieces) to Wazuh master > branch. Wazuh is already working SQLite internally for some DB's (agent > keys, syscheck data..) so the libraries are already compiled there. > Everything is working on my labs as expected, every syscheck event is > being checked against the Checksum DB created with the Python script, if > there is a match, the alert won't be generated. > > I am attaching the patch and the Python script fixed (the one on the blog > was not working). > > PS: I assume the errors you had were related to not compiling / including > properly the SQLite libraries. > > Regards, > Pedro Sanchez. > > On Thu, Mar 9, 2017 at 1:33 AM, BJ > > wrote: > >> Thank you Pedro. That's good information. >> >> With that in mind, I've decided to give this a try: >> https://blog.rootshell.be/2013/05/13/improving-file-integrity-monitoring-with-ossec/ >> >> Basically, he patched the code to make it look at a sqlite3 database >> prior to alerting. >> >> Unfortunately, the code is a bit old, and I'm not sure he included all of >> the steps. I couldn't use his patch because I wanted the latest code, so I >> created my own based on his (attached). And although I have installed >> libsqlite3-dev, it fails to compile. I keep getting the following, which >> suggests it isn't pulling the code in from sqlite3.h for some reason. >> >> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:845: >> undefined reference to `debug0' >> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:849: >> undefined reference to `sqlite3_open' >> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:852: >> undefined reference to `sqlite3_prepare_v2' >> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:854: >> undefined reference to `sqlite3_step' >> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:859: >> undefined reference to `sqlite3_finalize' >> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:860: >> undefined reference to `sqlite3_close' >> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:861: >> undefined reference to `debug0' >> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:865: >> undefined reference to `sqlite3_finalize' >> /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:866: >> undefined reference to `sqlite3_close' >> >> Now, I haven't coded in C since high school? Like 20 years ago. I >> remember some things, and have googled others, but I'm in over my head. I >> can't seem to figure out how to fix this, or what I might have done wrong. >> FYI, I'm on Ubuntu 16.04. >> >> If anyone could help me, I'd appreciate it. >> >> Thanks, >> BJ >> >> On Wednesday, March 8, 2017 at 9:14:45 AM UTC-7, Pedro Sanchez wrote: >> >>> Hi, >>> >>> I like your intention to create a whitelist for checksum using CDB >>> lists, I think it will be a great functionality. Unfortunately you won't be >>> able to do it, since OSSEC lists does not allow to match using >>> "syscheck.md5_after" field. >>> You can check here the available fields for matching a CDB List: >>> https://github.com/wazuh/wazuh/blob/master/src/analysisd/rules.c#L665 >>> (srcip, srcport, dstip, dstport, user, url, id, hostname, program_name, >>> status and action) >>> >>> Beside that, if somehow we add the funcionallity to match for that >>> field, you could use a negative key match, adding the list sentence to >>> syscheck rule 550. >>> >>> Negative key match: >>> http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/rule-lists.html#negative-key-match >>> >>> Rule 550 for syscheck integrity checksum changed, will trigger only if >>> they md5 checksum is not present on the CDB list, how it would look like: >>> >>> ossec syscheck_integrity_changed *>>> lookup="not_match_key">etc/lists/whitelist_md5* Integrity checksum changed. syscheck,pci_dss_11.5, >>> >>> >>> *whitelist_md5* >>> >>> d41d8cd98f00b204e9800998ecf8427a:file1 d41d8cd98f00b204e9800998ecf8427b:file2 d41d8cd98f00b204e9800998ecf8427c:file3 d41d8cd98f00b204e9800998ecf8427d:file4 >>> >>> >>> ossec.conf >>> *etc/lists/whitelist_md5* >>> >>> >>> *Compile CDB List* >>> /var/ossec/bin/ossec-makelists >>> >>> >>> >>> Maybe someone figure out a different way to do this. >>> >>> Regards, >>> Pedro Sanchez. >>> >>> >>> >>> On Wed, Mar 8, 2017 at 1:13 AM, BJ wrote: >>> I've seen the possibility mentioned in this for
Re: [ossec-list] CDB Lists and MD5 checksums
Hi BJ, I did not know about that post, it looks great but it is a bit outdated. It helped me to add that functionality (code pieces) to Wazuh master branch. Wazuh is already working SQLite internally for some DB's (agent keys, syscheck data..) so the libraries are already compiled there. Everything is working on my labs as expected, every syscheck event is being checked against the Checksum DB created with the Python script, if there is a match, the alert won't be generated. I am attaching the patch and the Python script fixed (the one on the blog was not working). PS: I assume the errors you had were related to not compiling / including properly the SQLite libraries. Regards, Pedro Sanchez. On Thu, Mar 9, 2017 at 1:33 AM, BJ wrote: > Thank you Pedro. That's good information. > > With that in mind, I've decided to give this a try: > https://blog.rootshell.be/2013/05/13/improving-file- > integrity-monitoring-with-ossec/ > > Basically, he patched the code to make it look at a sqlite3 database prior > to alerting. > > Unfortunately, the code is a bit old, and I'm not sure he included all of > the steps. I couldn't use his patch because I wanted the latest code, so I > created my own based on his (attached). And although I have installed > libsqlite3-dev, it fails to compile. I keep getting the following, which > suggests it isn't pulling the code in from sqlite3.h for some reason. > > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:845: > undefined reference to `debug0' > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:849: > undefined reference to `sqlite3_open' > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:852: > undefined reference to `sqlite3_prepare_v2' > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:854: > undefined reference to `sqlite3_step' > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:859: > undefined reference to `sqlite3_finalize' > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:860: > undefined reference to `sqlite3_close' > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:861: > undefined reference to `debug0' > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:865: > undefined reference to `sqlite3_finalize' > /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:866: > undefined reference to `sqlite3_close' > > Now, I haven't coded in C since high school? Like 20 years ago. I > remember some things, and have googled others, but I'm in over my head. I > can't seem to figure out how to fix this, or what I might have done wrong. > FYI, I'm on Ubuntu 16.04. > > If anyone could help me, I'd appreciate it. > > Thanks, > BJ > > On Wednesday, March 8, 2017 at 9:14:45 AM UTC-7, Pedro Sanchez wrote: > >> Hi, >> >> I like your intention to create a whitelist for checksum using CDB lists, >> I think it will be a great functionality. Unfortunately you won't be able >> to do it, since OSSEC lists does not allow to match using >> "syscheck.md5_after" field. >> You can check here the available fields for matching a CDB List: >> https://github.com/wazuh/wazuh/blob/master/src/analysisd/rules.c#L665 >> (srcip, srcport, dstip, dstport, user, url, id, hostname, program_name, >> status and action) >> >> Beside that, if somehow we add the funcionallity to match for that field, >> you could use a negative key match, adding the list sentence to syscheck >> rule 550. >> >> Negative key match: http://ossec-docs.readthedocs. >> io/en/latest/manual/rules-decoders/rule-lists.html#negative-key-match >> >> Rule 550 for syscheck integrity checksum changed, will trigger only if >> they md5 checksum is not present on the CDB list, how it would look like: >> >> >>> ossec >>> syscheck_integrity_changed >>> *>> lookup="not_match_key">etc/lists/whitelist_md5* >>> Integrity checksum changed. >>> syscheck,pci_dss_11.5, >>> >> >> >> *whitelist_md5* >> >> d41d8cd98f00b204e9800998ecf8427a:file1 >>> d41d8cd98f00b204e9800998ecf8427b:file2 >>> d41d8cd98f00b204e9800998ecf8427c:file3 >>> d41d8cd98f00b204e9800998ecf8427d:file4 >> >> >> ossec.conf >> >>> *etc/lists/whitelist_md5* >> >> >> *Compile CDB List* >> >>> /var/ossec/bin/ossec-makelists >> >> >> >> Maybe someone figure out a different way to do this. >> >> Regards, >> Pedro Sanchez. >> >> >> >> On Wed, Mar 8, 2017 at 1:13 AM, BJ wrote: >> >>> I've seen the possibility mentioned in this forum a couple of times >>> regarding adding the ability to check an MD5sum CDB list with rules. Right >>> now, I'm in a situation where I could use that ability. However, I can't >>> see anywhere that describes how to use it. Was that ever implemented? >>> Frankly, I'm interested enough in this feature that I'd do it myself if I >>> could, but I don't know C/C++, and only do scripting in Python. >>> >>> I'm trying to monitor a web folder for changes, but of course I don't >>> want to be alerted on every file when a releases is
Re: [ossec-list] CDB Lists and MD5 checksums
Thank you Pedro. That's good information. With that in mind, I've decided to give this a try: https://blog.rootshell.be/2013/05/13/improving-file-integrity-monitoring-with-ossec/ Basically, he patched the code to make it look at a sqlite3 database prior to alerting. Unfortunately, the code is a bit old, and I'm not sure he included all of the steps. I couldn't use his patch because I wanted the latest code, so I created my own based on his (attached). And although I have installed libsqlite3-dev, it fails to compile. I keep getting the following, which suggests it isn't pulling the code in from sqlite3.h for some reason. /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:845: undefined reference to `debug0' /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:849: undefined reference to `sqlite3_open' /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:852: undefined reference to `sqlite3_prepare_v2' /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:854: undefined reference to `sqlite3_step' /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:859: undefined reference to `sqlite3_finalize' /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:860: undefined reference to `sqlite3_close' /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:861: undefined reference to `debug0' /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:865: undefined reference to `sqlite3_finalize' /usr/local/src/ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c:866: undefined reference to `sqlite3_close' Now, I haven't coded in C since high school? Like 20 years ago. I remember some things, and have googled others, but I'm in over my head. I can't seem to figure out how to fix this, or what I might have done wrong. FYI, I'm on Ubuntu 16.04. If anyone could help me, I'd appreciate it. Thanks, BJ On Wednesday, March 8, 2017 at 9:14:45 AM UTC-7, Pedro Sanchez wrote: > > Hi, > > I like your intention to create a whitelist for checksum using CDB lists, > I think it will be a great functionality. Unfortunately you won't be able > to do it, since OSSEC lists does not allow to match using > "syscheck.md5_after" field. > You can check here the available fields for matching a CDB List: > https://github.com/wazuh/wazuh/blob/master/src/analysisd/rules.c#L665 > (srcip, srcport, dstip, dstport, user, url, id, hostname, program_name, > status and action) > > Beside that, if somehow we add the funcionallity to match for that field, > you could use a negative key match, adding the list sentence to syscheck > rule 550. > > Negative key match: > http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/rule-lists.html#negative-key-match > > Rule 550 for syscheck integrity checksum changed, will trigger only if > they md5 checksum is not present on the CDB list, how it would look like: > > >> ossec >> syscheck_integrity_changed >> *> lookup="not_match_key">etc/lists/whitelist_md5* >> Integrity checksum changed. >> syscheck,pci_dss_11.5, >> > > > *whitelist_md5* > > d41d8cd98f00b204e9800998ecf8427a:file1 >> d41d8cd98f00b204e9800998ecf8427b:file2 >> d41d8cd98f00b204e9800998ecf8427c:file3 >> d41d8cd98f00b204e9800998ecf8427d:file4 > > > ossec.conf > >> *etc/lists/whitelist_md5* > > > *Compile CDB List* > >> /var/ossec/bin/ossec-makelists > > > > Maybe someone figure out a different way to do this. > > Regards, > Pedro Sanchez. > > > > On Wed, Mar 8, 2017 at 1:13 AM, BJ > > wrote: > >> I've seen the possibility mentioned in this forum a couple of times >> regarding adding the ability to check an MD5sum CDB list with rules. Right >> now, I'm in a situation where I could use that ability. However, I can't >> see anywhere that describes how to use it. Was that ever implemented? >> Frankly, I'm interested enough in this feature that I'd do it myself if I >> could, but I don't know C/C++, and only do scripting in Python. >> >> I'm trying to monitor a web folder for changes, but of course I don't >> want to be alerted on every file when a releases is done (they can be done >> at any time of day too). I can get md5 sums of each of the files prior to >> the release to whitelist them for ossec, but I can't seem to figure out how >> to tell ossec to use that database. Any help would be appreciated. >> >> Thanks. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.
Re: [ossec-list] CDB Lists and MD5 checksums
Hi, I like your intention to create a whitelist for checksum using CDB lists, I think it will be a great functionality. Unfortunately you won't be able to do it, since OSSEC lists does not allow to match using "syscheck.md5_after" field. You can check here the available fields for matching a CDB List: https://github.com/wazuh/wazuh/blob/master/src/analysisd/rules.c#L665 (srcip, srcport, dstip, dstport, user, url, id, hostname, program_name, status and action) Beside that, if somehow we add the funcionallity to match for that field, you could use a negative key match, adding the list sentence to syscheck rule 550. Negative key match: http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/rule-lists.html#negative-key-match Rule 550 for syscheck integrity checksum changed, will trigger only if they md5 checksum is not present on the CDB list, how it would look like: > ossec > syscheck_integrity_changed > * lookup="not_match_key">etc/lists/whitelist_md5* > Integrity checksum changed. > syscheck,pci_dss_11.5, > *whitelist_md5* d41d8cd98f00b204e9800998ecf8427a:file1 > d41d8cd98f00b204e9800998ecf8427b:file2 > d41d8cd98f00b204e9800998ecf8427c:file3 > d41d8cd98f00b204e9800998ecf8427d:file4 ossec.conf > *etc/lists/whitelist_md5* *Compile CDB List* > /var/ossec/bin/ossec-makelists Maybe someone figure out a different way to do this. Regards, Pedro Sanchez. On Wed, Mar 8, 2017 at 1:13 AM, BJ wrote: > I've seen the possibility mentioned in this forum a couple of times > regarding adding the ability to check an MD5sum CDB list with rules. Right > now, I'm in a situation where I could use that ability. However, I can't > see anywhere that describes how to use it. Was that ever implemented? > Frankly, I'm interested enough in this feature that I'd do it myself if I > could, but I don't know C/C++, and only do scripting in Python. > > I'm trying to monitor a web folder for changes, but of course I don't want > to be alerted on every file when a releases is done (they can be done at > any time of day too). I can get md5 sums of each of the files prior to the > release to whitelist them for ossec, but I can't seem to figure out how to > tell ossec to use that database. Any help would be appreciated. > > Thanks. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
