Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Write md5 and sha1 checksums for newly added files. #1940

Merged
merged 1 commit into from
Dec 20, 2020

Conversation

swindmill
Copy link

Naive solution for #314 - Write md5 and sha1 checksums for newly added files.

I am not very familiar with the OSSEC code base but this seems to work. Very open to making changes to align with code organization / quality standards or other feedback!

Summary:
OSSEC records checksums (both old and new) for files it is configured to monitor via syscheck.

Example:

2020 May 09 23:51:41 localhost->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
Integrity checksum changed for: '/etc/yum.conf'
Size changed from '978' to '970'
Old md5sum was: 'c9db7a8874a8d889fa9b6336a4a7ea04'
New md5sum is : 'a7dc0d7b8902e9c8c096c93eb431d19e'
Old sha1sum was: 'b02997d3c3fa9322132c8cf1e42f4462ddcda362'
New sha1sum is : 'e0637e631f4ab0aaebef1a6b8822a36f031f332e'```

When configured to alert on new file creation, it does not record similar checksums. We would like these so we can record them in our SIEM and attempt to determine if they are known malicious via threat intelligence systems.

Example before this change:

```** Alert 1589082690.1481191: - ossec,syscheck,
2020 May 09 23:51:30 localhost->syscheck
Rule: 554 (level 5) -> 'File added to the system.'
New file '/etc/.yum.conf.swp' added to the file system.```

Example after this change:

```** Alert 1589082690.1481191: - ossec,syscheck,
2020 May 09 23:51:30 localhost->syscheck
Rule: 554 (level 5) -> 'File added to the system.'
New file '/etc/.yum.conf.swp' added to the file system.
New sha1sum is : '1cf120af022f6acc955a5ef70e74f1f7eb604c3f'
New md5sum is : 'bd00d635ca6302c622968688760993d8'```

Test Plan: Confirmed that new file alerts include sha1 and md5 checksums both in OSSEC's alerts.log and also in syslog data OSSEC can be optionally configured to generate.

… added files.

Summary:
OSSEC records checksums (both old and new) for files it is configured to monitor via syscheck.

Example:
```** Alert 1589082701.1481730: mail  - ossec,syscheck,
2020 May 09 23:51:41 localhost->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
Integrity checksum changed for: '/etc/yum.conf'
Size changed from '978' to '970'
Old md5sum was: 'c9db7a8874a8d889fa9b6336a4a7ea04'
New md5sum is : 'a7dc0d7b8902e9c8c096c93eb431d19e'
Old sha1sum was: 'b02997d3c3fa9322132c8cf1e42f4462ddcda362'
New sha1sum is : 'e0637e631f4ab0aaebef1a6b8822a36f031f332e'```

When configured to alert on new file creation, it does not record similar checksums. We would like these so we can record them in our SIEM and attempt to determine if they are known malicious via threat intelligence systems.

Example before this change:

```** Alert 1589082690.1481191: - ossec,syscheck,
2020 May 09 23:51:30 localhost->syscheck
Rule: 554 (level 5) -> 'File added to the system.'
New file '/etc/.yum.conf.swp' added to the file system.```

Example after this change:

```** Alert 1589082690.1481191: - ossec,syscheck,
2020 May 09 23:51:30 localhost->syscheck
Rule: 554 (level 5) -> 'File added to the system.'
New file '/etc/.yum.conf.swp' added to the file system.
New sha1sum is : '1cf120af022f6acc955a5ef70e74f1f7eb604c3f'
New md5sum is : 'bd00d635ca6302c622968688760993d8'```

Test Plan: Confirmed that new file alerts include sha1 and md5 checksums both in OSSEC's alerts.log and also in syslog data OSSEC can be optionally configured to generate.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants