Some question about Rule ID 550 : Integrity checksum changed
572 views
Skip to first unread message
Ducng Thai
Oct 12, 2022, 4:32:45 AM10/12/22
to Wazuh mailing list
I wanna understand what
syscheck_integrity_changed is ...
I see that in rule id 550, but when i search in decoder management... It 's not exist.
Jose Antonio Izquierdo
Oct 12, 2022, 5:30:09 AM10/12/22
to Wazuh mailing list
Hi Ducng Thai,
This syscheck_integrity_changed is an FIM (File Integrity Management) decoder. This decode_as decoder won't appear as a written decoder as it is part of the FIM code. (https://github.com/wazuh/wazuh/blob/7c24762d2640ea52b496fe27b026061717f9fa1f/src/analysisd/rules.h#L420)
You can find information about this FIM functionality here - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/how-it-works.html?highlight=fim
Ping me if you need further assistance.
Jose.
Message has been deleted
Ducng Thai
Oct 14, 2022, 6:35:26 AM10/14/22
to Wazuh mailing list
Hi Jose,
Thanks for providing me with useful information. I am needing to create a rule that detects changes on a specific directory and the second condition is Mode : realtime.
1st :
<group name="ossec,">
<rule id="100550" level="12">
<if_sid>550</if_sid>
<match>/my/file/path/</match>
<match>Mode: realtime</match>
<description>Integrity checksum changed</description>
<group>syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,</group>
</rule>
</group>
2nd :
<group name="ossec,">
<rule id="100550" level="6">
<if_sid>550</if_sid>
<match> /my/file/path/ </match>
<description>Integrity checksum changed</description>
<group>syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,</group>
</rule>
</group>
<group name="ossec,">
<rule id="200550" level="12">
<if_sid>100550</if_sid>
<match>Mode: realtime</match>
<description>Integrity checksum changed</description>
<group>syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,</group>
</rule>
</group>
But the first case <match>Mode : realtime</match> doesn't seem to work. the second case doesn't even generate a warning on either rule 100550 or 200550. Can you help me understand why and how?
Thanks for providing me with useful information. I am needing to create a rule that detects changes on a specific directory and the second condition is Mode : realtime.
1st :
<group name="ossec,">
<rule id="100550" level="12">
<if_sid>550</if_sid>
<match>/my/file/path/</match>
<match>Mode: realtime</match>
<description>Integrity checksum changed</description>
<group>syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,</group>
</rule>
</group>
2nd :
<group name="ossec,">
<rule id="100550" level="6">
<if_sid>550</if_sid>
<match> /my/file/path/ </match>
<description>Integrity checksum changed</description>
<group>syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,</group>
</rule>
</group>
<group name="ossec,">
<rule id="200550" level="12">
<if_sid>100550</if_sid>
<match>Mode: realtime</match>
<description>Integrity checksum changed</description>
<group>syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,</group>
</rule>
</group>
But the first case <match>Mode : realtime</match> doesn't seem to work. the second case doesn't even generate a warning on either rule 100550 or 200550. Can you help me understand why and how?
Thank you very much...
Vào lúc 16:30:09 UTC+7 ngày Thứ Tư, 12 tháng 10, 2022, jose.iz...@wazuh.com đã viết:
Jose Antonio Izquierdo
Oct 14, 2022, 7:00:51 AM10/14/22
to Wazuh mailing list
Hi,
I think you should use <field> elements instead of <match> elements in your rules. Also, this table will provide your with the right field names to use in your rules -> https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-fields-rule-mapping.html
Hope it helps.
Hope it helps.
Jose.
Reply all
Reply to author
Forward
0 new messages