Hello kristian,
The nodiff
the option is aimed to avoid data leaking by sending the content of specific changes through alerts.
Consider the following example:
<directories report_changes="yes">/etc</directories>
<nodiff>/etc/ssl/private.key</nodiff>
Note the
report_changes
that report registry value changes in the alert
Also, suppose we have an existing file /etc/ssl/testing.txt
.
If we edit the private.key
and the testing
files the following alerts will be created
** Alert 1664807851.34730775: - ossec,syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2022 Oct 03 14:37:31 centos->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
File '/etc/ssl/private.key' modified
Mode: scheduled
Changed attributes: size,mtime,inode,md5,sha1,sha256
Size changed from '68' to '78'
Old modification time was: '1664807689', now it is '1664807829'
Old inode was: '8818156', now it is '8605059'
Old md5sum was: '657528c1553900b6b02ed8a290f462f3'
New md5sum is : '5427c98e148fac68e6de9cbe5bba2877'
Old sha1sum was: '911226b4935c3ea24b2a1c21e9818709dfa08d4a'
New sha1sum is : '202a3284e98eaba933ca7e2f6ced46f4619e808e'
Old sha256sum was: 'a242a73d099b26832256108081cec8b575cb34d9af9e0aeaea0c77a7579ae07a'
New sha256sum is : 'c7e3f9bd83b82fe7bb0f398e76321c2b5396615003bc718d22c7b489040396e1'
Attributes:
- Size: 78
- Permissions: rw-r--r--
- Date: Mon Oct 3 14:37:09 2022
- Inode: 8605059
- User: root (0)
- Group: root (0)
- MD5: 5427c98e148fac68e6de9cbe5bba2877
- SHA1: 202a3284e98eaba933ca7e2f6ced46f4619e808e
- SHA256: c7e3f9bd83b82fe7bb0f398e76321c2b5396615003bc718d22c7b489040396e1
What changed:
<Diff truncated because nodiff option>
** Alert 1664807851.34732106: - ossec,syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2022 Oct 03 14:37:31 centos->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
File '/etc/ssl/testing.txt' modified
Mode: scheduled
Changed attributes: size,mtime,inode,md5,sha1,sha256
Size changed from '17' to '35'
Old modification time was: '1664807678', now it is '1664807850'
Old inode was: '8818158', now it is '8592715'
Old md5sum was: '95e8576dbe1d557372d14aa266a350a5'
New md5sum is : '6fe97e2b208af01442d25ce676662aa9'
Old sha1sum was: '29a9d2acd5924f4e73eacfc1e98727ef0d92d367'
New sha1sum is : 'e9d4b4efb4cf9a1ae9962a300cac22676b442a42'
Old sha256sum was: '52e1a7c4ede52e6b53acbf872bc46161b46148bae562280a3df9f956f7ed4fd0'
New sha256sum is : 'a70486f87f7b62b8ba24b6e76e5241cd96d2dc62546ce565e99a5a2fa201613d'
Attributes:
- Size: 35
- Permissions: rw-r--r--
- Date: Mon Oct 3 14:37:30 2022
- Inode: 8592715
- User: root (0)
- Group: root (0)
- MD5: 6fe97e2b208af01442d25ce676662aa9
- SHA1: e9d4b4efb4cf9a1ae9962a300cac22676b442a42
- SHA256: a70486f87f7b62b8ba24b6e76e5241cd96d2dc62546ce565e99a5a2fa201613d
What changed:
2a3,4
> Testing3
> Testing4
Notice that the What changed
is not shown for the private file.
Regarding the use of nodiff in directories, it is not possible because this option is planned to use consciously in desired files. Consider one of the following approach:
<nodiff>/etc/ssl/private.key</nodiff>
<nodiff>/etc/ssl/private.key2</nodiff>
...
<directories>/etc/</directories>
<directories report_changes="yes">other_paths</directories>
Regarding sregex
, is faster than OS_Regex, but only supports simple string matching and the following special characters. You can see more information on this documentation page
Al these examples have been run on Wazuh but should be similar in Ossec. You can see more information about the project on the documentation page
If you have any doubt do not hesitate to ask