Not Workin integrity monitoring and random problems with vulnerability scans
241 views
Skip to first unread message
Davide De Cicco
Oct 20, 2022, 2:07:31 PM10/20/22
to Wazuh mailing list
Hi Wazuh team,
At this moment I have 3 agent installed in 3 Windows 10 machines and the connection with the Wazuh server is ok, and I have followed all the configuration tutorials from your web page, but I have some problems with the vulnerability scans and the integrity monitoring.
I have just deployed a wazuh server (all-in-one solution) on a linux 20.04 LTS Virtual Machine and I'm deploying some agents in my local network.
At this moment I have 3 agent installed in 3 Windows 10 machines and the connection with the Wazuh server is ok, and I have followed all the configuration tutorials from your web page, but I have some problems with the vulnerability scans and the integrity monitoring.
In one Windows machine (id 001) the vulnerability scan works without any problem and in the second one (id 003) initially it didn't work and after changing the time zone of the Wazuh server to UTC and after a lot of "systemctl restart wazuh-manager" it decided to pick up also the vulnerabilities of this pc (strange behavior). The third computer (id 002) instead seems to have no vulnerabilities looking from the WEB UI (in my opinion impossible), and I can't undestand why it's not able to find or show them; also, from the ossec logs I can see that also this PC is scanned for vulnerabilities (I added them down below for clarity).
2022/10/20 17:27:13 wazuh-modulesd:vulnerability-detector[74429] wm_vuln_detector.c:2565 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5439): A partial scan will be run on agent '002'
2022/10/20 17:27:13 wazuh-modulesd:vulnerability-detector[74429] wm_vuln_detector.c:5053 at wm_vuldet_collect_agent_software(): DEBUG: (5437): Collecting agent '002' software.
2022/10/20 17:27:13 wazuh-modulesd:vulnerability-detector[74429] wm_vuln_detector.c:2584 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5450): Analyzing agent '002' vulnerabilities.
2022/10/20 17:27:13 wazuh-modulesd:vulnerability-detector[74429] wm_vuln_detector.c:2603 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5471): Finished vulnerability assessment for agent '002'
2022/10/20 17:27:13 wazuh-modulesd:vulnerability-detector[74429] wm_vuln_detector.c:2604 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5470): It took '0' seconds to 'scan' vulnerabilities in agent '002'
2022/10/20 17:27:13 wazuh-modulesd:vulnerability-detector[74429] wm_vuln_detector.c:5053 at wm_vuldet_collect_agent_software(): DEBUG: (5437): Collecting agent '002' software.
2022/10/20 17:27:13 wazuh-modulesd:vulnerability-detector[74429] wm_vuln_detector.c:2584 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5450): Analyzing agent '002' vulnerabilities.
2022/10/20 17:27:13 wazuh-modulesd:vulnerability-detector[74429] wm_vuln_detector.c:2603 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5471): Finished vulnerability assessment for agent '002'
2022/10/20 17:27:13 wazuh-modulesd:vulnerability-detector[74429] wm_vuln_detector.c:2604 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5470): It took '0' seconds to 'scan' vulnerabilities in agent '002'
The other problem I have is that NONE of these 3 Agent seems to be able to check for file integrity... My Integrity monitoring section from Web UI is empty, and even if I added to the ossec.conf file this entry -> (" <directories check_all="yes" whodata="yes" report_changes="yes">C:\\</directories> ") and then tried to create some files in the directory, nothing happens on the Web UI. (after all the changes I always restarted the daemon of wazuh-manager).
I'm not an expert and I'm trying to learn, so I hope you can make sense of these problems and understand my mistakes.
Sorry for my bad english and thank you in advance for any help!
Miguel Angel Cazajous
Oct 22, 2022, 5:42:22 PM10/22/22
to Wazuh mailing list
Hello Davide,
Let's see if we can address all these issues one by one.
First, I would like to know the situation with your agent 2 which is not showing vulnerabilities (we can talk about the time zone later).
- Since all the agents have the same OS (Windows 10) something that may be affecting the number of vulnerabilities on each should be related to the hotfixes installed.
Please let me know what you get from these command. (execute them in your manager)
sqlite3 /var/ossec/queue/db/001.db 'select * from sys_hotfixes'
sqlite3 /var/ossec/queue/db/002.db 'select * from sys_hotfixes'
sqlite3 /var/ossec/queue/db/003.db 'select * from sys_hotfixes'
I would say that we expect to have 0 vulnerabilities if all the patches have been installed on a Windows machine.
We have three sources to construct the list of vulnerabilities of Windows systems. First, we have the NVD with the CVE information, then we have the Microsoft API where we get the relation between certain CVE and the patch that fixes it, and finally the Microsoft catalog with information about supersedence KB. Sometimes the information from those places is not accurate and let us without so many options to correlate the information and we have to wait for those sites to update their information.
One last thing we can try is to install a well-known vulnerable package like Wireshark 2.4.5 in agent 2 to see if it really getting the vulnerabilities it should.
We can talk about the FIM issue later, but I would like to clarify something in case this is the issue. The configuration you mentioned is correct, but it should be in the ossec.conf file on the agent side, and then you should restart the wazuh agent service.
Putting that setting in your manager won't work since the Linux manager doesn't have a path like that.
I hope we can solve all this. Regards!
Let's see if we can address all these issues one by one.
First, I would like to know the situation with your agent 2 which is not showing vulnerabilities (we can talk about the time zone later).
- Since all the agents have the same OS (Windows 10) something that may be affecting the number of vulnerabilities on each should be related to the hotfixes installed.
Please let me know what you get from these command. (execute them in your manager)
sqlite3 /var/ossec/queue/db/001.db 'select * from sys_hotfixes'
sqlite3 /var/ossec/queue/db/002.db 'select * from sys_hotfixes'
sqlite3 /var/ossec/queue/db/003.db 'select * from sys_hotfixes'
I would say that we expect to have 0 vulnerabilities if all the patches have been installed on a Windows machine.
We have three sources to construct the list of vulnerabilities of Windows systems. First, we have the NVD with the CVE information, then we have the Microsoft API where we get the relation between certain CVE and the patch that fixes it, and finally the Microsoft catalog with information about supersedence KB. Sometimes the information from those places is not accurate and let us without so many options to correlate the information and we have to wait for those sites to update their information.
One last thing we can try is to install a well-known vulnerable package like Wireshark 2.4.5 in agent 2 to see if it really getting the vulnerabilities it should.
We can talk about the FIM issue later, but I would like to clarify something in case this is the issue. The configuration you mentioned is correct, but it should be in the ossec.conf file on the agent side, and then you should restart the wazuh agent service.
Putting that setting in your manager won't work since the Linux manager doesn't have a path like that.
I hope we can solve all this. Regards!
Davide De Cicco
Oct 23, 2022, 6:04:18 AM10/23/22
to Wazuh mailing list
Hi! Thank you very much for your response!
I have run the commands you gave me and I will attach the result at the end of the post.
Later, when I will have access to the machine, I will also try to install wireshark to the 002 agent and scan vulnerabilities as you suggested.
I'll also try to add the path for the FIM problem to the config files of all the agents.
For now I tried to add only on 001 these 2 lines (<directories check_all="yes" report_changes="yes" whodata="yes">C:\\Users\\Administrator\\Desktop</directories> <directories check_all="yes" report_changes="yes" whodata="yes">C:\\Wazuh</directories>),
but these didn't help, nothing shows up in the Web UI event after adding these and selecting the range date of more then 1 year.
I'll later also try with some other paths.
Thank you another time for your time. I'll wait for your answer, in the mean time have a great day!
Here is the result of : " /var/ossec/queue/db/00x.db 'select * from sys_hotfixes' " for the 3 agents:
0|2022/10/20 14:33:54|KB2151757|fe3637745a5497a1e54b9e7a0761b1cba57b3bbf
0|2022/10/20 14:33:54|KB2467173|a3eadb3c902e9582a6599150142ec4715116b85d
0|2022/10/20 14:33:54|KB2468871|8f99821b9e79bc2258cb56cd14cfcaf9bbeda8e5
0|2022/10/20 14:33:55|KB2478063|8511235ae3ab3b642d8ba429599092634fdde3a8
0|2022/10/20 14:33:55|KB2533523|b8c4cb9a2aeb6a64269e88f6116765420a65cd80
0|2022/10/20 14:33:55|KB2544514|8e468309f00c0f31b8a0f12a6a79d2658652e9e9
0|2022/10/20 14:33:55|KB2565063|54c29c08e09e08e655f6f45979bef8ace970720a
0|2022/10/20 14:33:55|KB2600211|cb13c01ba11045aabbb074fc3e61b0a3b2d88dd4
0|2022/10/20 14:33:55|KB2600217|8253af775746f8545784d27edb852281c9a06955
0|2022/10/20 14:33:55|KB4562830|c651fa941c06383364d7d47f8d7046499cc099fb
0|2022/10/20 14:33:55|KB4577266|398b71614c444e7755a89c5c6e02e99410ed5a5f
0|2022/10/20 14:33:55|KB4577586|5c4da70cbf846d4c84b94bee7ae7bd4ca5957d93
0|2022/10/20 14:33:55|KB4580325|971b360361a480d5a5be94a472dd8cf2d01ef4c0
0|2022/10/20 14:33:56|KB4586864|8f903af78d034ad5ef638fec4cb9bde00f06fc9d
0|2022/10/20 14:33:56|KB4589212|52f4885f77feb3e0733eb5641efce44219b1b55f
0|2022/10/20 14:33:56|KB4593175|acbb733b975f9f5ce8318e9e6f0afab3bcee30ec
0|2022/10/20 14:33:56|KB4598481|8de4e665a0f9a06fae122d8bad16e2979686d679
0|2022/10/20 14:33:56|KB5003791|50c7785c386d7f479f12ed8860a22717394f6494
0|2022/10/20 14:33:56|KB5005260|d9fbc6a677f5fcbfd1bcf017d93f73c3cf991533
0|2022/10/20 14:33:56|KB5005699|607c96d9ee795a1d30612b9c34c3dc694f8a2c68
0|2022/10/20 14:33:56|KB5006753|8fc10cb0d891264a46701959bd7788ca88f630d6
0|2022/10/20 14:33:56|KB5007273|4283b072caae3a4bb06aa8ca98bf78752c731be6
0|2022/10/20 14:33:56|KB5009636|d2ced95170000960ee966efa78b19124282ecce3
0|2022/10/20 14:33:57|KB5011352|d0fa4dde12a3546b12e21c029517c55b962aa7e6
0|2022/10/20 14:33:57|KB5011651|f2b42d9990d2ceb12160ef911d068aa1e0637ccd
0|2022/10/20 14:33:57|KB5012170|d9e49825d14b5bbbf4b4aa4c499ae7f8121389a3
0|2022/10/20 14:33:57|KB5013887|2e41823fdf28f007012ae186504266086e934d07
0|2022/10/20 14:33:57|KB5014032|85ade350889946e1c28e01e94c75b5244f9cc1d8
0|2022/10/20 14:33:57|KB5014035|369e18e8ac4a40b7b28bbc6dc7f57158ec552375
0|2022/10/20 14:33:57|KB5014671|00a1efe69901c2f06945ec10a6d5693caf1426d9
0|2022/10/20 14:33:57|KB5015730|6bc6c1c38194c1c18444ecf7248d0e1760cf4d0b
0|2022/10/20 14:33:57|KB5015895|b071d859c975cd82a1c18a01ca96a49c8b54a041
0|2022/10/20 14:33:57|KB5016616|e903e24746c7e79b9f5d234374cf9d8ee3d26258
0|2022/10/20 14:33:58|KB5016705|4df135cb799f3942b346aa026dc4be3ab79ec4e3
0|2022/10/20 14:33:58|KB5017022|fd2f9d0c91b4236555299aa308ed2d1248bdff90
0|2022/10/20 14:33:58|KB5017262|5c1d6f7e495ccda4b439da08e748efd3a3570fd7
0|2022/10/20 14:33:58|KB5017308|ba743075f61a3ec94308d804571072238aba28a4
0|2022/10/20 14:33:58|KB982573|62a01d14af223e0ddeb5a5182e101ebfe1b12007
a@b:/home/test# sqlite3 /var/ossec/queue/db/002.db 'select * from sys_hotfixes'
0|2022/10/20 16:09:02|KB2151757|fe3637745a5497a1e54b9e7a0761b1cba57b3bbf
0|2022/10/20 16:09:02|KB2467173|a3eadb3c902e9582a6599150142ec4715116b85d
0|2022/10/20 16:09:02|KB2468871|8f99821b9e79bc2258cb56cd14cfcaf9bbeda8e5
0|2022/10/20 16:09:02|KB2478063|8511235ae3ab3b642d8ba429599092634fdde3a8
0|2022/10/20 16:09:02|KB2533523|b8c4cb9a2aeb6a64269e88f6116765420a65cd80
0|2022/10/20 16:09:02|KB2544514|8e468309f00c0f31b8a0f12a6a79d2658652e9e9
0|2022/10/20 16:09:02|KB2565063|54c29c08e09e08e655f6f45979bef8ace970720a
0|2022/10/20 16:09:02|KB2600211|cb13c01ba11045aabbb074fc3e61b0a3b2d88dd4
0|2022/10/20 16:09:03|KB2600217|8253af775746f8545784d27edb852281c9a06955
0|2022/10/20 16:09:03|KB4559309|8327ac6111de4d51ebdebeaa62702d7bcafc3657
0|2022/10/20 16:09:03|KB4561600|4a46ec34de66b8706a5a67d8e60f9b56ff2f5d85
0|2022/10/20 16:09:03|KB4562830|c651fa941c06383364d7d47f8d7046499cc099fb
0|2022/10/20 16:09:03|KB4565627|437bead283679f599db3bcdd61e5f5c8bd00d667
0|2022/10/20 16:09:03|KB4566785|69bf99d25e2a09ab5a887ed53a5f589baa283096
0|2022/10/20 16:09:03|KB4570334|a5a1387f72c6d3a521d48be52b8184de767091be
0|2022/10/20 16:09:03|KB4577266|398b71614c444e7755a89c5c6e02e99410ed5a5f
0|2022/10/20 16:09:03|KB4577586|5c4da70cbf846d4c84b94bee7ae7bd4ca5957d93
0|2022/10/20 16:09:04|KB4580325|971b360361a480d5a5be94a472dd8cf2d01ef4c0
0|2022/10/20 16:09:04|KB4586864|8f903af78d034ad5ef638fec4cb9bde00f06fc9d
0|2022/10/20 16:09:04|KB4589212|52f4885f77feb3e0733eb5641efce44219b1b55f
0|2022/10/20 16:09:04|KB4593175|acbb733b975f9f5ce8318e9e6f0afab3bcee30ec
0|2022/10/20 16:09:04|KB4598481|8de4e665a0f9a06fae122d8bad16e2979686d679
0|2022/10/20 16:09:04|KB5000736|668f68e501900d6b25e070caa0239e302e29a8b5
0|2022/10/20 16:09:04|KB5003791|50c7785c386d7f479f12ed8860a22717394f6494
0|2022/10/20 16:09:04|KB5005260|d9fbc6a677f5fcbfd1bcf017d93f73c3cf991533
0|2022/10/20 16:09:04|KB5005699|607c96d9ee795a1d30612b9c34c3dc694f8a2c68
0|2022/10/20 16:09:05|KB5006753|8fc10cb0d891264a46701959bd7788ca88f630d6
0|2022/10/20 16:09:05|KB5007273|4283b072caae3a4bb06aa8ca98bf78752c731be6
0|2022/10/20 16:09:05|KB5011352|d0fa4dde12a3546b12e21c029517c55b962aa7e6
0|2022/10/20 16:09:05|KB5011651|f2b42d9990d2ceb12160ef911d068aa1e0637ccd
0|2022/10/20 16:09:05|KB5012170|d9e49825d14b5bbbf4b4aa4c499ae7f8121389a3
0|2022/10/20 16:09:05|KB5012677|4929256682712a396bfe03fff6f1837cb7934cbd
0|2022/10/20 16:09:05|KB5014032|85ade350889946e1c28e01e94c75b5244f9cc1d8
0|2022/10/20 16:09:05|KB5014035|369e18e8ac4a40b7b28bbc6dc7f57158ec552375
0|2022/10/20 16:09:05|KB5014671|00a1efe69901c2f06945ec10a6d5693caf1426d9
0|2022/10/20 16:09:06|KB5015730|6bc6c1c38194c1c18444ecf7248d0e1760cf4d0b
0|2022/10/20 16:09:06|KB5015895|b071d859c975cd82a1c18a01ca96a49c8b54a041
0|2022/10/20 16:09:06|KB5016705|4df135cb799f3942b346aa026dc4be3ab79ec4e3
0|2022/10/20 16:09:06|KB5017022|fd2f9d0c91b4236555299aa308ed2d1248bdff90
0|2022/10/20 16:09:06|KB5017262|5c1d6f7e495ccda4b439da08e748efd3a3570fd7
0|2022/10/20 16:09:06|KB5017308|ba743075f61a3ec94308d804571072238aba28a4
0|2022/10/20 16:09:06|KB5017380|b6dd89f2334a3df11ab2b381866572d604f581fd
0|2022/10/20 16:09:06|KB5018410|d27bab48a3d52dd279a60467a554fb5145e796a6
0|2022/10/20 16:09:06|KB982573|62a01d14af223e0ddeb5a5182e101ebfe1b12007
a@b:/home/test# sqlite3 /var/ossec/queue/db/003.db 'select * from sys_hotfixes'
0|2022/10/20 16:58:18|KB2468871|8f99821b9e79bc2258cb56cd14cfcaf9bbeda8e5
0|2022/10/20 16:58:18|KB2478063|8511235ae3ab3b642d8ba429599092634fdde3a8
0|2022/10/20 16:58:19|KB2504637|2878a010b14cc0f1c864a846bee59eea0ec61ba6
0|2022/10/20 16:58:19|KB2533523|b8c4cb9a2aeb6a64269e88f6116765420a65cd80
0|2022/10/20 16:58:19|KB2544514|8e468309f00c0f31b8a0f12a6a79d2658652e9e9
0|2022/10/20 16:58:19|KB2565063|54c29c08e09e08e655f6f45979bef8ace970720a
0|2022/10/20 16:58:19|KB2600211|cb13c01ba11045aabbb074fc3e61b0a3b2d88dd4
0|2022/10/20 16:58:19|KB2600217|8253af775746f8545784d27edb852281c9a06955
0|2022/10/20 16:58:19|KB2726958|3388fbbde6dec033164d31779bbc8c5dd6f74b12
0|2022/10/20 16:58:19|KB2760344|d02c1e2330a8eae980c1939bc93e11b692a09e54
0|2022/10/20 16:58:19|KB2760371|ce8fda0b8591257bda7cc13c5fa6ae7bce1587d0
0|2022/10/20 16:58:20|KB2760587|635329196f64a43fa7928fe03e4cc3b0d666e224
0|2022/10/20 16:58:20|KB2817301|ca0604788ee7c5b1de5af4d5a84c89b21c78d5de
0|2022/10/20 16:58:20|KB2880463|556ba47ac6bf3c91a86d2fdcda2f5c2c81ddf9de
0|2022/10/20 16:58:20|KB2883095|1b2261056d0589a9bd2ef7b41f70a250c5d91f60
0|2022/10/20 16:58:20|KB2889863|82194641f309d8e4999f7dcc5ef8057a33ab8a77
0|2022/10/20 16:58:20|KB2899522|a3da30ebde36b0afcb97113222c16cda8857041d
0|2022/10/20 16:58:20|KB3023049|130339d5fd9cad039f74f72bda099de1c93b0fdc
0|2022/10/20 16:58:20|KB3023052|63ad8b175fe25abe0f2345312eec1ba4c9541f94
0|2022/10/20 16:58:20|KB3039701|2cb10b755c00153edb2c21bc2a500e031718c8cf
0|2022/10/20 16:58:21|KB3039720|491e931df32f273f859e9129ae3204c2e5152fbe
0|2022/10/20 16:58:21|KB3039746|c7b17feff909e47e93c53c20ebc597e8b9351d62
0|2022/10/20 16:58:21|KB3039756|d473d510e994671b3e38908f590385680c7b5e89
0|2022/10/20 16:58:21|KB3039766|479f93e3f356908a141aa7d1c280c844614615d0
0|2022/10/20 16:58:21|KB3039778|d0c11120eed065e81fa394ffa8dc3283f5ac9176
0|2022/10/20 16:58:21|KB3039779|b256eadd61b4ae14aa9ce1916118e91eedf371cc
0|2022/10/20 16:58:21|KB3039782|ad71a85b0f9ebd35e9a4017ee8939b0aa6a3a629
0|2022/10/20 16:58:21|KB3039794|31853b7b86610e5715008e3dfaae3adcefcd9ca5
0|2022/10/20 16:58:21|KB3039795|45cd3b61a7eb6712a8a847b71d0d891c358d3c80
0|2022/10/20 16:58:22|KB3039798|dbb2e1bc9c93a9a3dc501d18c3bca09e25d1c838
0|2022/10/20 16:58:22|KB3054793|b925a035a460780a84ca48fca5d27e4c8bd70b01
0|2022/10/20 16:58:22|KB3054816|e719e9b457d67942260fb4aac0b2d8c61482edbd
0|2022/10/20 16:58:22|KB3054819|255823067fa9123f980e8d3f6f5fa1ac60f1eab8
0|2022/10/20 16:58:22|KB3054854|1ab6f64aae629dd1179a75445c01025ce0f67fbc
0|2022/10/20 16:58:22|KB3054856|5cbd35445487aea2b0d6e543ddeb3bbc6260642d
0|2022/10/20 16:58:22|KB3055007|eafe022367f6e40c1636c12ec84dd043f5970fd5
0|2022/10/20 16:58:22|KB3085482|689ba68e2e9e121fe0619c22a9768d1af5b9930b
0|2022/10/20 16:58:22|KB3085561|36bb35ce5b60ca915cf3d83f6e7bb4be1773c7c6
0|2022/10/20 16:58:22|KB3085565|0b254a67f3c0d5e8b5f27ea4a065d7128d7d19fa
0|2022/10/20 16:58:23|KB3085578|9f19d595b73c2fe395c252645b3608c547619afe
0|2022/10/20 16:58:23|KB3085587|0d60d7381521cf59d99b0eb5ec3ccbb0cd721808
0|2022/10/20 16:58:23|KB3101487|90f06c8b67ff66650ef93e98d505b57c6f5a2b7f
0|2022/10/20 16:58:23|KB3101503|324b1bb6a5fd3725f84cc5d33cf746c8d4fcad73
0|2022/10/20 16:58:23|KB3101506|698efb016cec309c224f33ae087c21ea551e7711
0|2022/10/20 16:58:23|KB3114329|9c4d910a833fa3f109058fb02a7415a8910992f8
0|2022/10/20 16:58:23|KB3114488|4680f1a4ce585a1a47c34d0d0c35876d21969822
0|2022/10/20 16:58:23|KB3114499|2464025244f61145913de0b60dc84da52ece411b
0|2022/10/20 16:58:23|KB3114833|503ac37eb37ae6b88cc3828458338a2b1a5ccada
0|2022/10/20 16:58:24|KB3114946|bb1b5c55160d49b8ae37b34b40f1abff59cc68fe
0|2022/10/20 16:58:24|KB3115153|db317d0fca6dca5f5f0b7198b0821e7f04088bd1
0|2022/10/20 16:58:24|KB3115256|806cd732c559313fcaf0b6165fa7ea83e75aaa6a
0|2022/10/20 16:58:24|KB3115404|75791b6f057953262f16a29e751acf0d28fa2955
0|2022/10/20 16:58:24|KB3127916|f3b01a5897c7c544bf204fcfe210575e1f0bfe14
0|2022/10/20 16:58:24|KB3162033|100eba8c4401993391055c6ef63300395a8bdad1
0|2022/10/20 16:58:24|KB3162051|6eccbfdb6623cebb71b0ce5dc0fc5fa61e0bcdca
0|2022/10/20 16:58:24|KB3162075|de56bb413e9792f2e0d18e5cf04b3654de820769
0|2022/10/20 16:58:24|KB3162081|b917bb756c630cef6327bc021b967a1b3d1c983b
0|2022/10/20 16:58:25|KB3172443|52933eb47b27bf021363cf6ee2558c4fbab08533
0|2022/10/20 16:58:25|KB3172459|b662d1563a2eae20eef7ef04d6ab1bf6865b6c9f
0|2022/10/20 16:58:25|KB3172471|2b6a932090fadc0e6ac3591c1b3e9d5c8517870d
0|2022/10/20 16:58:25|KB3172473|0592a64b67426a793a971a0dd5b930cd3db445e7
0|2022/10/20 16:58:25|KB3172506|041ef4115ad1b07259e1d97bc1a1622a605bfdd8
0|2022/10/20 16:58:25|KB3172510|05c33bd0bf228dc5513ae24495838d15adf63961
0|2022/10/20 16:58:25|KB3172514|1ccf6edbcd5a867aa694dcffa32df237cd4f0ca0
0|2022/10/20 16:58:25|KB3172522|b0948c706fc48aed3720cd309dcf677073305f80
0|2022/10/20 16:58:25|KB3172523|948350f674931519f9d6737e28db2803ff79a57a
0|2022/10/20 16:58:26|KB3172533|76319c61f4fd0ae8c309304eea416fed671d6a67
0|2022/10/20 16:58:26|KB3172545|86135ab06e795b468f5debdebf5d2b550b883ddb
0|2022/10/20 16:58:26|KB3178639|1801681e3ae2b8c254d5a962a5207a5908394cfd
0|2022/10/20 16:58:26|KB3178640|92e6011dd6c0a8560a30a54fed7b4eea34b3ff94
0|2022/10/20 16:58:26|KB3178643|d9c19a675b47eab9191dd4fa7d0f9d33b1a7d9a8
0|2022/10/20 16:58:26|KB3178712|cc4f624b73175e8aaf348d8faeb7138c38b1650e
0|2022/10/20 16:58:26|KB3191872|e55bb949115dff775d2f51af5c89a529c04e9857
0|2022/10/20 16:58:26|KB3191937|94f75ee76f6b587f50dc713e78f0163571822fad
0|2022/10/20 16:58:26|KB3213536|dad102c9c1851a9d63d3c0362a006a47e99fd8df
0|2022/10/20 16:58:27|KB3213564|e78c78b79b487a3a6d805d15b311bd6728542990
0|2022/10/20 16:58:27|KB4011069|e7a977abbb9ef6763ddd02316f87237e8a6acb2e
0|2022/10/20 16:58:27|KB4011087|fc822fcc168c9fe28f9773e914481c8b11d4e2fa
0|2022/10/20 16:58:27|KB4011104|ff6cb5b64660d3ba27849b3dac3887bb7c4d0883
0|2022/10/20 16:58:27|KB4011155|24a347dc6472f0c5538aba6eafd7bf2b3438169f
0|2022/10/20 16:58:27|KB4011281|6b04e1bdc01bf548540e7ed3e625ef629b7c2c48
0|2022/10/20 16:58:27|KB4011580|cb2bac57fbd2f27d810335386eeae24b337c0e54
0|2022/10/20 16:58:27|KB4011677|e1714c5d299030e999c9b6bce5d37ff671d0ff8e
0|2022/10/20 16:58:27|KB4018289|fe391b3ca2121829e73f68f77bec833863ca46f1
0|2022/10/20 16:58:28|KB4018300|43f52f534e585d76af076bbc39a9d77628d95488
0|2022/10/20 16:58:28|KB4018330|6f996494bf35822617285249af4b8a11a1332b51
0|2022/10/20 16:58:28|KB4018332|bd6cc7c7580aba8eb4979f795ee8e0683e32567d
0|2022/10/20 16:58:28|KB4018333|5ed49673b7a2fb9e4a3125c1ced0d4fb92aca5c7
0|2022/10/20 16:58:28|KB4018351|c8a24f0fab24868184ecccd714e74c4005f4f437
0|2022/10/20 16:58:28|KB4018375|13cbec2151e4986db80b03af64a6a94c5a4ecda2
0|2022/10/20 16:58:28|KB4018374|fd5bd5ecb54cb5c651266dd00fdffc006f47d392
0|2022/10/20 16:58:28|KB4018378|b98b03c91a7fda6e1847768b06422ae5e4c61cf2
0|2022/10/20 16:58:28|KB4018387|a1f5974d682c9ae6651332713d9cd24cb94e889a
0|2022/10/20 16:58:29|KB4022166|217640434c321bba206dbeadd884d852705c8e9c
0|2022/10/20 16:58:29|KB4022169|0700717489831cabce634ec9d4f89c6818ef0181
0|2022/10/20 16:58:29|KB4022171|1a3d60e84655cbe8748bea002a3edc0244815801
0|2022/10/20 16:58:29|KB4022181|290aed038e76cae25e370a46ddf0f95ad54aabc1
0|2022/10/20 16:58:29|KB4022182|5a363ce2b79e5792e43591faebefe72f8d242436
0|2022/10/20 16:58:29|KB4022188|105e051cfbf76bcf4e3b2e4ebbda50aa0e01b1fd
0|2022/10/20 16:58:29|KB4022189|d73956c06fce50ed3e2774b258f1b81d0eeaa1d9
0|2022/10/20 16:58:29|KB4022191|82a6dce6bd7ab75308961073fcfad1fbc23a09fb
0|2022/10/20 16:58:29|KB4022212|8a9d841cffde0ee1578e4c1a180d349600b98ffb
0|2022/10/20 16:58:30|KB4022224|f875a63b7004c273fa566b092f469c96be577933
0|2022/10/20 16:58:30|KB4022225|178c3cf6bf7d3513fd5789665e3da65123e5abea
0|2022/10/20 16:58:30|KB4022226|c55d5dc755cdd66c6a1d25b8471a31be2043d4d2
0|2022/10/20 16:58:30|KB4022227|5844fa40beb44aa4370a2cf5b8dd743d09265896
0|2022/10/20 16:58:30|KB4022233|bc14f64a3a5c030adf811b2e2ae1f815a1147261
0|2022/10/20 16:58:30|KB4022237|914abab7b938f35e55f912a3fb6c0d5aedb87414
0|2022/10/20 16:58:30|KB4022242|989e0f10eef9ad548b7ee21af1bdbc098e464c8d
0|2022/10/20 16:58:30|KB4022244|69f5a1d6ac225c3e3d9ffe5dadf9b217ac56f850
0|2022/10/20 16:58:30|KB4023057|91418b42c05d4f7f36ff48da7bb0923e93fde4d8
0|2022/10/20 16:58:31|KB4032239|8ce1918ae1d21f253fc00d0284327674ab9bb84b
0|2022/10/20 16:58:31|KB4032240|32c5292995b2713574ac6000c17d126e5e0d4dc0
0|2022/10/20 16:58:31|KB4032241|1b257e395a4512b32368c5daddb627388b21f9af
0|2022/10/20 16:58:31|KB4032246|d6ec71e0a2206568a9189ce3f866b56e76eb8b2c
0|2022/10/20 16:58:31|KB4032250|b32ede9b0d1cb50292930a79466ddaf46c76a97d
0|2022/10/20 16:58:31|KB4032252|dd9f54b1f59fc2a0b161df3c2b5a966b28e229f6
0|2022/10/20 16:58:31|KB4092453|be9bc65802189120692aec5ec6e9f92696250e4b
0|2022/10/20 16:58:31|KB4092455|6df004f7d665bf2155395926ec8b2e8f395c8d73
0|2022/10/20 16:58:31|KB4092457|62bd1eadd886ea2391c8637bd986c18983c61cc9
0|2022/10/20 16:58:32|KB4092469|c660befa7d1f318e642c4224ce759d51991969f2
0|2022/10/20 16:58:32|KB4092479|8d4f44b3ad67046fad3cd2703b34eb1cfc0cbaf6
0|2022/10/20 16:58:32|KB4092477|19ffc409eb8715fee6bc2178d126b0a3f50518ec
0|2022/10/20 16:58:32|KB4461444|f5c3adf1c5f96789597e4e1ce7b1e0002a870c37
0|2022/10/20 16:58:32|KB4461445|4ae7a90c12b8620ede0bffa382f71fe283258b0a
0|2022/10/20 16:58:32|KB4461446|643b1a8bf24225b76a217b681165e0146e0b3799
0|2022/10/20 16:58:32|KB4461457|9698a381296cffd4d45c0f51e8d262ca6f0c8b78
0|2022/10/20 16:58:32|KB4461460|9d5f1b62edf2379799ab832396b42276eab846b0
0|2022/10/20 16:58:32|KB4461481|e1e3ce55fec245d68e29910aba6117f869d7594a
0|2022/10/20 16:58:32|KB4461482|745a41b4d989a805af1e631f2a4d426ab0fe7062
0|2022/10/20 16:58:33|KB4461485|edc8e2f63c7000afbe4d3e3367726ee39c542d2a
0|2022/10/20 16:58:33|KB4461486|8d1e120a949c17cb3667df45960d8d9d84e974c7
0|2022/10/20 16:58:33|KB4461487|d466caeb43f26eb4c8ae7b35aedd8d0f8d2ec397
0|2022/10/20 16:58:33|KB4461488|38c33d7a14b606173cb1f39134e1c1acfc789a65
0|2022/10/20 16:58:33|KB4461489|b649fe27b31941ec1d7e50f5f318bec02464165a
0|2022/10/20 16:58:33|KB4461537|cb07882ccad1b3da7e18e6a399ac5e7b5a773736
0|2022/10/20 16:58:33|KB4461556|a7460f138c65f8c89d049b736cdd10df317e7205
0|2022/10/20 16:58:33|KB4461550|2d458dd8c406779b69eb90d38c774b670ef57cba
0|2022/10/20 16:58:33|KB4461557|850fb95a882bc407063fd9c3d8d8e5819054a2fe
0|2022/10/20 16:58:34|KB4461559|d021cc8084fab2c6eeb3821734dd92d90b82f7d3
0|2022/10/20 16:58:34|KB4461560|ff133e10e8238f91170e551f3f626a3485360f86
0|2022/10/20 16:58:34|KB4461590|a755cd0ca75a697ed2c80017291544230f0c5540
0|2022/10/20 16:58:34|KB4461594|4a84eb8aa95e8114491cd255c2db1d3d85f36852
0|2022/10/20 16:58:34|KB4461595|44bdc4adc3625fda1ef9616f737ef1b41b7e4230
0|2022/10/20 16:58:34|KB4461597|5a82cfc3fbd08584dee5de6ec5dd5542f0d00c7b
0|2022/10/20 16:58:34|KB4462135|f1309cade88426df72a3911f4c9a62376578c866
0|2022/10/20 16:58:34|KB4462136|22e3d84d6d87f77ea53dafdd37fba985a298fc45
0|2022/10/20 16:58:34|KB4462138|4cc14a0835d1f7022854c154ed19e057eeb1af5e
0|2022/10/20 16:58:35|KB4462140|ab6c1a4184e579ab03801db8fe379ab72378e19b
0|2022/10/20 16:58:35|KB4462141|6b6abce5c1111bb19c3b594e5d0b2f98d64eb87c
0|2022/10/20 16:58:35|KB4462142|2be552a0611fd24d470bf101b298ce7701c0a1fd
0|2022/10/20 16:58:35|KB4462200|71c8dbcb632824b9fec5774fb8f1ee93ff4f9d3d
0|2022/10/20 16:58:35|KB4462201|aadb4e54b317f460058f571ec49dae1827a7a4c5
0|2022/10/20 16:58:35|KB4462203|ab6e7942769de7a04ff27eb0fe4eafa25d21a6e4
0|2022/10/20 16:58:35|KB4462204|3818eefc0363864a6107c76c285f7332fa91e5dd
0|2022/10/20 16:58:35|KB4462205|16c7438f5ea1852b235257c2f98dd42352b209eb
0|2022/10/20 16:58:35|KB4462206|2a6c717e078080c8b5625ae152975292f05dccec
0|2022/10/20 16:58:36|KB4462207|a519122c9232e2b663810e5ff63c99ac291c7ab0
0|2022/10/20 16:58:36|KB4462209|7e57f18ed6e903c1746a0d63f28f93347486ed1c
0|2022/10/20 16:58:36|KB4462210|cf24d630ca2134539811ecf1170cdaf1d4a3e675
0|2022/10/20 16:58:36|KB4464504|441aaa31caf32b76fe7e946d19e00f417fca730a
0|2022/10/20 16:58:36|KB4464507|2562ab3d9cc74f781ba34f700ef7eb1a59c3a6ef
0|2022/10/20 16:58:36|KB4464542|e391ade317e58deb6ae1df9f7dc2e65c74d49c75
0|2022/10/20 16:58:36|KB4464543|c1d85b274294b8c489b258109185fa887d29ea22
0|2022/10/20 16:58:36|KB4464545|def14b55582c6fbbe91e69bd7cfb24dd659a20a1
0|2022/10/20 16:58:36|KB4464546|2abc71eae68aa91dbe5d3d6569b97e96cace2422
0|2022/10/20 16:58:37|KB4464547|4166f9bb8ee6d947d9c38839c218bd5b8d23d159
0|2022/10/20 16:58:37|KB4464548|9aa0898e8adfb3cf2d46753bf64fa90de0130092
0|2022/10/20 16:58:37|KB4464558|2ee4c1e47739d76f9c012b79c0e722f05ca37250
0|2022/10/20 16:58:37|KB4464561|a7538d662929c008a404b5217de80441680735f6
0|2022/10/20 16:58:37|KB4464565|09fbd18a9eb1e9193ad625eb1f6e8373a57df0a8
0|2022/10/20 16:58:37|KB4464590|a22fa1006b5f0ec0d68eca65dd316a97cf48fca6
0|2022/10/20 16:58:37|KB4464592|5fc924a392ce1d5d82edb7b0442ab8013b030e6b
0|2022/10/20 16:58:37|KB4464593|30d85fd08f8af4137428e13bc6486d46cf7c50bf
0|2022/10/20 16:58:37|KB4464599|fa0c483bf9945643097154bddca634b70bfa5f9d
0|2022/10/20 16:58:38|KB4475519|dc4f2593a205808bf08bafdbead11d8c8065c826
0|2022/10/20 16:58:38|KB4475525|e256a5d3f25b51b918a726269eb75d6aec8f2590
0|2022/10/20 16:58:38|KB4475547|e93e693de660fca49168d0f81c2225979f1034ca
0|2022/10/20 16:58:38|KB4475556|263ca18229876065e92e83667bd893cdb914d231
0|2022/10/20 16:58:38|KB4475558|a530272bef883431ff4d1aa8a6c6bcfe6b2682e5
0|2022/10/20 16:58:38|KB4475562|f3a517ef720e18e627bec6e500b9853d22b347af
0|2022/10/20 16:58:38|KB4475563|efaa5496ec16d2b12985969722f4b4db60007827
0|2022/10/20 16:58:38|KB4475564|9b0454d39b70a13bad0818f4b5a1f2d62f45837b
0|2022/10/20 16:58:38|KB4475566|f933b18f7215abef34e631bb1138ba0484e9b7ed
0|2022/10/20 16:58:39|KB4475607|7a1dccebcacb61b5dcb4572f75cac0e07b1b59a1
0|2022/10/20 16:58:39|KB4475611|ffea24a0d045a26a0477121e955157c58999918a
0|2022/10/20 16:58:39|KB4484094|4f5342f9f36c8eee8fa00f3d23c40eb794a3603d
0|2022/10/20 16:58:39|KB4484096|bfab0197b6cc753fd96e8da02bd9a50b65402cc7
0|2022/10/20 16:58:39|KB4484097|9362c680976432372bcf6272b0657354c9681d3c
0|2022/10/20 16:58:39|KB4484108|9dd4f680af28ed64d2c7c0c6fe2f54a6dd60f486
0|2022/10/20 16:58:39|KB4484117|5ecfc909b451c75e70570dd139beb827770d534d
0|2022/10/20 16:58:39|KB4484119|ec2b9151a8cf54b1622f91f8033d52cc9ebd737b
0|2022/10/20 16:58:39|KB4484123|b58b52a0a6667c57b5327eb9746efb1f33de3238
0|2022/10/20 16:58:40|KB4484125|b730e3e61bcc90b76b1392e73303d60190c36d91
0|2022/10/20 16:58:40|KB4484152|01bd2c3568d926be475271eda5bc1df8c230d10a
0|2022/10/20 16:58:40|KB4484156|95ed3d5760ca67247b247e190467ce563cce55de
0|2022/10/20 16:58:40|KB4484158|3b4d2bb8be51e7e439a5453588e30dbd5801dbe4
0|2022/10/20 16:58:40|KB4484184|9e779c6965e8edeb4c8ad8fbb0c306125e69cb7f
0|2022/10/20 16:58:40|KB4484186|a2eb1ccd0466a8fd07fbe08b53583ea636c64f83
0|2022/10/20 16:58:40|KB4484226|e9ede46ad5f909c2207e2e6304bebcd13876b168
0|2022/10/20 16:58:40|KB4484190|c8462cd334738244223e5e6f664df8bc8a425e21
0|2022/10/20 16:58:40|KB4484227|75742532e61a69c1617ad79bf53d9efd1b608dc9
0|2022/10/20 16:58:41|KB4484229|4e8feba910627fd6530fe0373f241295bea1dc79
0|2022/10/20 16:58:41|KB4484231|6e85f85b84e87c857549e5650f3f28e6fbfb3d0a
0|2022/10/20 16:58:41|KB4484234|bbb783db6d950bd587abdd9a32fadb9aaf0f95b8
0|2022/10/20 16:58:41|KB4484260|010aad7be53bd9a6555a242882ea52b8ea8a0884
0|2022/10/20 16:58:41|KB4484265|39b895ecab975f3fbdbccb9f6c31138c6d1a5015
0|2022/10/20 16:58:41|KB4484281|d7388be49d86368ff5d7ba8db7940d1b497aab80
0|2022/10/20 16:58:41|KB4484283|2ca98989f6deee1994f4d0bd25f4ee9fbc430d49
0|2022/10/20 16:58:41|KB4484289|dc808eaa8c7199483a32d9fbc69824710a17e60c
0|2022/10/20 16:58:41|KB4484319|f53621f83faf1befb3641b8b7efb5a9d5000309a
0|2022/10/20 16:58:42|KB4484347|9ef9e89fcf87dd7e6d41692c53610f69407f6d9a
0|2022/10/20 16:58:42|KB4484349|3f34d971a580a2b39448eb78ae533ffb56f2b298
0|2022/10/20 16:58:42|KB4484351|dc3fec8a98c4aff0bfdccbdd4903a2aafb067892
0|2022/10/20 16:58:42|KB4484354|07e6aaffb1815e48bafbaa7c8be6cb7b1d8af8bb
0|2022/10/20 16:58:42|KB4484356|e37905b37f4123681dbc5d1ff5b6545212095839
0|2022/10/20 16:58:42|KB4484359|063ba71151e6386131708ab8bbcb3d3bf21ad8da
0|2022/10/20 16:58:42|KB4484361|d9de8efdbce3d37d701fe12b7859931f2fcb3ac0
0|2022/10/20 16:58:42|KB4484363|2f68293ecaf26af4a2dd6a83b18513f06ce1a25f
0|2022/10/20 16:58:42|KB4484365|5b430c8e6950da072a4b481b7901cad8babbe9b8
0|2022/10/20 16:58:43|KB4484366|a8ab1157153c44fb2bba6d2e2630a12444d453ff
0|2022/10/20 16:58:43|KB4484369|dfbac925fa2371c7dc6f61626716b9fd3bf44418
0|2022/10/20 16:58:43|KB4484410|3fa27646fb15a8beefe90843a1bd494fa7fca63d
0|2022/10/20 16:58:43|KB4484435|934255040d685649a164290b6355352b9e2b7f06
0|2022/10/20 16:58:43|KB4484442|af3d05e3cc91c0a2d08b044c6de9acb9985419c6
0|2022/10/20 16:58:43|KB4484446|64ef336262b47090b5ff2de7fc3b1caed1458f63
0|2022/10/20 16:58:43|KB4484449|3b753c86766cc980e399e62d75fd351344f95b5e
0|2022/10/20 16:58:43|KB4484450|3a6d38c64b9c964302ff2b2f91e96edf761e5d16
0|2022/10/20 16:58:43|KB4484468|4c3c422ca40f481e607717625bd7dd14bc50ca8d
0|2022/10/20 16:58:43|KB4484469|45252e412e0105a8cff24780ee0dbaab5373b5d0
0|2022/10/20 16:58:44|KB4484484|41d6fab9cd1335f74f0380e88523c74bc27f7285
0|2022/10/20 16:58:44|KB4484486|cec28d23f17daa0689f3f4df1df84b94460a32a5
0|2022/10/20 16:58:44|KB4484517|221aa9d97df40f31931045a5a8ebb84f684a3cde
0|2022/10/20 16:58:44|KB4484520|17a42768b6a93d09933059d531165709cbd03918
0|2022/10/20 16:58:44|KB4484522|20f65a02656271e0c94a7be4ae0f892a98a113d6
0|2022/10/20 16:58:44|KB4484524|b7a92da58d05b6ce6642736469f2b5236dd591af
0|2022/10/20 16:58:44|KB4484526|fc822a0d6f600b65f30c08eaa93165ae78241f34
0|2022/10/20 16:58:44|KB4484527|2c8bac7cd689c38d25eab090c75f12ad797ed9ac
0|2022/10/20 16:58:44|KB4486684|24fe6152a66beecdc9e7266eedf5c8311fffddd7
0|2022/10/20 16:58:45|KB4486688|e8cede820d0811680327aa9d1d600c02e14bd533
0|2022/10/20 16:58:45|KB4486692|8d4e88e57a3a1f3521d8dde1cc4b746a846732d8
0|2022/10/20 16:58:45|KB4486695|9a79821f26f96067a17a385a63a4d8ac6bd2b430
0|2022/10/20 16:58:45|KB4486725|4d2d5de915280a1b3eb07e0f4691f518ea4577c1
0|2022/10/20 16:58:45|KB4486726|331397364883c390db4cdb1a1ff41fde68f039fb
0|2022/10/20 16:58:45|KB4486730|23c99a8d64379a85eb9e87ea4270243aff77f558
0|2022/10/20 16:58:45|KB4486732|2c75efd1595477ef14dbb2124a4e31006459b901
0|2022/10/20 16:58:45|KB4486734|9d583791310499637568c3bddc792d3f8f892ac2
0|2022/10/20 16:58:45|KB4486759|50ec627fff3b73dfb0695702d91ffe9ff7012e48
0|2022/10/20 16:58:46|KB4486762|a05355cdff03271243baa64d8f61b065c64f8013
0|2022/10/20 16:58:46|KB4486764|09049424d46132842da586d9637402420c8623a1
0|2022/10/20 16:58:46|KB4493139|0acef2d3cf6e89364151aafe8f38bfb438263194
0|2022/10/20 16:58:46|KB4493169|a9a41787fdcc76410ce0b9be87ddd7cc87e1ff04
0|2022/10/20 16:58:46|KB4493174|be91d2272300fd18701cc20f044b12b9b3c7f597
0|2022/10/20 16:58:46|KB4493203|1a47d1ef0b05687b848f945d0973c115e17f8f65
0|2022/10/20 16:58:46|KB4493176|f416c1a47d36b66a069850d3333ea8a1a54d67b6
0|2022/10/20 16:58:46|KB4493206|e8b5f448d49bb7baa721aec1b6a7adf023bc9f09
0|2022/10/20 16:58:46|KB4493208|5f39fa7e55f1e88a50a66e2a47fba13cfdbc0aac
0|2022/10/20 16:58:47|KB4493211|62e5e82245893e6993addb4840ff88a9c85adb51
0|2022/10/20 16:58:47|KB4493227|202a9d8cfd881103b0654c01d72f1ec685b132b1
0|2022/10/20 16:58:47|KB4493228|1ad1f799daa3f2e1e3026001c219bb8d360914dc
0|2022/10/20 16:58:47|KB4493239|8fe913ec335c6ea340a367bc09f9fc33e21c82ce
0|2022/10/20 16:58:47|KB4504726|3fdf089957f2a69df3a5f517a23b815fa42ce2e9
0|2022/10/20 16:58:47|KB4504727|6b92e7f5f258a162ccd4079702f137193a864271
0|2022/10/20 16:58:47|KB4504733|c4534f6bc86d0217e7bcc0ef17106d698c9270f5
0|2022/10/20 16:58:47|KB4504735|f66e83f018ba0ec114af0e5b9e45d28571df3247
0|2022/10/20 16:58:47|KB4561600|4a46ec34de66b8706a5a67d8e60f9b56ff2f5d85
0|2022/10/20 16:58:48|KB4562830|c651fa941c06383364d7d47f8d7046499cc099fb
0|2022/10/20 16:58:48|KB4570334|a5a1387f72c6d3a521d48be52b8184de767091be
0|2022/10/20 16:58:48|KB4577266|398b71614c444e7755a89c5c6e02e99410ed5a5f
0|2022/10/20 16:58:48|KB4577586|5c4da70cbf846d4c84b94bee7ae7bd4ca5957d93
0|2022/10/20 16:58:48|KB4580325|971b360361a480d5a5be94a472dd8cf2d01ef4c0
0|2022/10/20 16:58:48|KB4586864|8f903af78d034ad5ef638fec4cb9bde00f06fc9d
0|2022/10/20 16:58:48|KB4589212|52f4885f77feb3e0733eb5641efce44219b1b55f
0|2022/10/20 16:58:48|KB4593175|acbb733b975f9f5ce8318e9e6f0afab3bcee30ec
0|2022/10/20 16:58:48|KB4598481|8de4e665a0f9a06fae122d8bad16e2979686d679
0|2022/10/20 16:58:49|KB5000736|668f68e501900d6b25e070caa0239e302e29a8b5
0|2022/10/20 16:58:49|KB5001925|bb4ca30030803498004ef4c36eea5675db896904
0|2022/10/20 16:58:49|KB5001927|5c160c07f1e50fdca493d029a2b5c9102fdfef99
0|2022/10/20 16:58:49|KB5001931|1bb0cfcdaec762f9dd7f0bc0dc8217210eea4878
0|2022/10/20 16:58:49|KB5001934|7d6da0998d6f582ac565331b6707cbcf015632ec
0|2022/10/20 16:58:49|KB5001936|42b5825d7582d87e18af8a80df31f1cbf4b41678
0|2022/10/20 16:58:49|KB5001937|51a0e6ed6d35e590502301f19396b42d0a4edd0d
0|2022/10/20 16:58:49|KB5001953|9424a70c3431b18a7c0ba5051cc34f4dfa0524ce
0|2022/10/20 16:58:49|KB5001955|5d9da4a33a407923e65a0c944131dc79f1646eef
0|2022/10/20 16:58:50|KB5001958|58eae72b8307ef92663d4b2c4fae1d9b925f7cc6
0|2022/10/20 16:58:50|KB5001960|6795504a7e6c6703b19fad60916cd1030fb0aebc
0|2022/10/20 16:58:50|KB5001963|6052a893e2e810e1d795d6df9113b1779ec9948e
0|2022/10/20 16:58:50|KB5001983|fc6e6714d3f6439d7d927f52d684930c846260a7
0|2022/10/20 16:58:50|KB5001985|df44696dd9ab39c5e18dd89ba7c7ca0278d4c7cc
0|2022/10/20 16:58:50|KB5001990|6eb3e07e906f14381598b8558800c8402fe93f95
0|2022/10/20 16:58:50|KB5001993|d41ad90aa072c74efc06f564ac80b3a7d258b41b
0|2022/10/20 16:58:50|KB5002007|cb2f10431505c49f5f0164d4269f0ed4a8d68e04
0|2022/10/20 16:58:50|KB5002014|a8cfb43c68f3722052079aa769a836b4175a1055
0|2022/10/20 16:58:51|KB5002035|6479bcf1a3784385b91ad3306775a0f019d9e217
0|2022/10/20 16:58:51|KB5002038|6c3f86c68018e84db690a3ee238dc43f95e67c4f
0|2022/10/20 16:58:51|KB5002043|bcbd47943b6b6454705d9334e4150c0c577e9070
0|2022/10/20 16:58:51|KB5002064|e121aa09c519eace828e896a3f85065067556381
0|2022/10/20 16:58:51|KB5002068|7bbff12ba9f89c6c71c31abc656ebde5b0731280
0|2022/10/20 16:58:51|KB5002072|f7b06732ee86586e3de8769e4192fe50e701fc08
0|2022/10/20 16:58:51|KB5002101|4cc0dcc44ff95885931d6732c9df470deedf6cd9
0|2022/10/20 16:58:51|KB5002104|f18d9e0c4053ad4a2fd0139ffd58386fa9deba00
0|2022/10/20 16:58:51|KB5002105|2ab99e4f3dc01d73278b5b8a93b0001ef9d54d6a
0|2022/10/20 16:58:52|KB5002119|62a489808dd5c42d7ae3578c5941fb691ae2bda6
0|2022/10/20 16:58:52|KB5002121|18260183a0547043d430087dfec6d22c56a626ac
0|2022/10/20 16:58:52|KB5002124|abc1c779bc13ca78d0b02829fb30d73f2bf63ba8
0|2022/10/20 16:58:52|KB5002128|bedb0921869e872e391b2da9a6c3cda38033f441
0|2022/10/20 16:58:52|KB5002146|ef4ffbae634438e948b1993f4abcf4771f5bc35b
0|2022/10/20 16:58:52|KB5002148|2e51fe7580261d8e9011b952d6481fba75fe143f
0|2022/10/20 16:58:52|KB5002151|3a6950d3c23da2fd66f58843b8f88c446b8fc7d9
0|2022/10/20 16:58:52|KB5002156|2f095fc482dbb57a4770af513530667c3e7f3009
0|2022/10/20 16:58:52|KB5002166|096438f22a201db08fce3241ac962cd7e7c46bc4
0|2022/10/20 16:58:53|KB5002175|070cf3053383e0902e4e9f85839edb896c3c76dd
0|2022/10/20 16:58:53|KB5002187|e809421791c2bef103a463d80c52e9f5cd371db4
0|2022/10/20 16:58:53|KB5002204|8124cfd2659f42ad11160429e7d66d0d5423727a
0|2022/10/20 16:58:53|KB5002220|dc9ab50a296bda446298a92cf998dcc875af8a05
0|2022/10/20 16:58:53|KB5002242|73c16687d9de6bfc98558e3a7fb863eae3798e24
0|2022/10/20 16:58:53|KB5002250|b37cfac8c77ca5319027cc8b276bde1b0b12f3c6
0|2022/10/20 16:58:53|KB5002252|5a50e1bc5ff5ab365e8349a88325d558c48a7b4f
0|2022/10/20 16:58:53|KB5002268|ad60de48121fdc8ed9712209f0923a06efa86180
0|2022/10/20 16:58:53|KB5002274|fa0670830e80a25998e5d38b7c1a43c8fba253cc
0|2022/10/20 16:58:53|KB5002279|e309ea2b0dac72c8cc62d46d0a391ffbee3ea8fb
0|2022/10/20 16:58:54|KB5003791|50c7785c386d7f479f12ed8860a22717394f6494
0|2022/10/20 16:58:54|KB5005260|d9fbc6a677f5fcbfd1bcf017d93f73c3cf991533
0|2022/10/20 16:58:54|KB5005699|607c96d9ee795a1d30612b9c34c3dc694f8a2c68
0|2022/10/20 16:58:54|KB5006753|8fc10cb0d891264a46701959bd7788ca88f630d6
0|2022/10/20 16:58:54|KB5007273|4283b072caae3a4bb06aa8ca98bf78752c731be6
0|2022/10/20 16:58:54|KB5011352|d0fa4dde12a3546b12e21c029517c55b962aa7e6
0|2022/10/20 16:58:54|KB5011651|f2b42d9990d2ceb12160ef911d068aa1e0637ccd
0|2022/10/20 16:58:54|KB5012170|d9e49825d14b5bbbf4b4aa4c499ae7f8121389a3
0|2022/10/20 16:58:54|KB5014032|85ade350889946e1c28e01e94c75b5244f9cc1d8
0|2022/10/20 16:58:55|KB5014035|369e18e8ac4a40b7b28bbc6dc7f57158ec552375
0|2022/10/20 16:58:55|KB5014671|00a1efe69901c2f06945ec10a6d5693caf1426d9
0|2022/10/20 16:58:55|KB5015730|6bc6c1c38194c1c18444ecf7248d0e1760cf4d0b
0|2022/10/20 16:58:55|KB5015895|b071d859c975cd82a1c18a01ca96a49c8b54a041
0|2022/10/20 16:58:55|KB5016705|4df135cb799f3942b346aa026dc4be3ab79ec4e3
0|2022/10/20 16:58:55|KB5017022|fd2f9d0c91b4236555299aa308ed2d1248bdff90
0|2022/10/20 16:58:55|KB5017262|5c1d6f7e495ccda4b439da08e748efd3a3570fd7
0|2022/10/20 16:58:55|KB5017308|ba743075f61a3ec94308d804571072238aba28a4
0|2022/10/20 16:58:55|KB5018410|d27bab48a3d52dd279a60467a554fb5145e796a6
Davide De Cicco
Oct 24, 2022, 12:04:26 PM10/24/22
to Wazuh mailing list
Hi, fast update.
I also tried to install wireshark on pc 002 and restart everything.. A new scan for vulnerbilites was made, but still the result webpage is empty.
Also, about the FIM, I added the paths before mentioned (to search in the C: drive) to the ossec.conf files of every windows agent (001-002-003) and restarted everything, but also here, no improvements.. nothing was found even if I added, modified or deleted files in that path. The connection between the agents and the sever is on and correct.. I don't know what else to look for :\
Anyway, thank you for your patience, I hope you can find some other ways around this problem.
I also tried to install wireshark on pc 002 and restart everything.. A new scan for vulnerbilites was made, but still the result webpage is empty.
Also, about the FIM, I added the paths before mentioned (to search in the C: drive) to the ossec.conf files of every windows agent (001-002-003) and restarted everything, but also here, no improvements.. nothing was found even if I added, modified or deleted files in that path. The connection between the agents and the sever is on and correct.. I don't know what else to look for :\
Anyway, thank you for your patience, I hope you can find some other ways around this problem.
I'll wait for your answers, in the mean time have a great day
Miguel Angel Cazajous
Oct 24, 2022, 3:41:36 PM10/24/22
to Wazuh mailing list
Hi Davide,
Ok, this is becoming strange to me that nothing seems to be working. Let's continue with FIM first.
I modified your setting to not include the whole disk, please could you test it?
Ok, this is becoming strange to me that nothing seems to be working. Let's continue with FIM first.
- What is the output of the following commands? (execute them in your manager)
/var/ossec/bin/manage_agents -V
/var/ossec/bin/agent_control -i 001
/var/ossec/bin/agent_control -i 002
/var/ossec/bin/agent_control -i 003
- Please, attach the agent configuration file for one of those agents that you want to run with FIM.
- Also, setting the FIM path to C may cause issues because the level of recursion is too big, please take a look at https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html#configuring-maximum-recursion-level-allowed
I modified your setting to not include the whole disk, please could you test it?
- Create a folder similar to this (Replace your user)
- Add this setting to your agent configuration file.
- Restart your agent
- Copy any file to that directory (let's say the Wazuh installer)
- Check the alerts in the /var/ossec/logs/alerts/alerts.log file in your manager. I would expect to see something like this. If this works the issue may be on the UI side.
Davide De Cicco
Oct 25, 2022, 8:37:30 AM10/25/22
to Wazuh mailing list
Hi!
<directories check_all="yes" report_changes="yes" whodata="yes">C:\\Users\Administrator\Desktop</directories>
<directories check_all="yes" report_changes="yes" whodata="yes">C:\\Wazuh</directories>
Regarding the FIM, I changed the paths in every agent config file (as you can see in the code section above) and restarted all the machines, and now it seems to work in 2/3 of them.
I'm not going to copy here the result of the command you asked for security, but I'll say that all of them exited the version v4.3.9 of Wazuh and all the agent had an active Status.
Also I would like to avoid publishing the conf file if possible, if you want I can just copy here some snippets of it, like this one of the FIM config of PC 001 (I changed some words):
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Default files to be monitored. -->
<directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>
<directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$">%WINDIR%\SysNative</directories>
<directories recursion_level="0">%WINDIR%\SysNative\drivers\etc</directories>
<directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\SysNative\wbem</directories>
<directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\SysNative\WindowsPowerShell\v1.0</directories>
<directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\SysNative</directories>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Default files to be monitored. -->
<directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>
<directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$">%WINDIR%\SysNative</directories>
<directories recursion_level="0">%WINDIR%\SysNative\drivers\etc</directories>
<directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\SysNative\wbem</directories>
<directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\SysNative\WindowsPowerShell\v1.0</directories>
<directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\SysNative</directories>
<directories check_all="yes" report_changes="yes" whodata="yes">C:\\Users\Administrator\Desktop</directories>
<directories check_all="yes" report_changes="yes" whodata="yes">C:\\Wazuh</directories>
<directories check_all="yes" whodata="yes" report_changes="yes">C:\\Users\username\test</directories>
<directories check_all="yes" whodata="yes" report_changes="yes">E:\\Documents\Username</directories>
<!-- Frequency for ACL checking (seconds) -->
<windows_audit_interval>60</windows_audit_interval>
<!-- Nice value for Syscheck module -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Frequency for ACL checking (seconds) -->
<windows_audit_interval>60</windows_audit_interval>
<!-- Nice value for Syscheck module -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
Regarding the FIM, I changed the paths in every agent config file (as you can see in the code section above) and restarted all the machines, and now it seems to work in 2/3 of them.
The one not working (001) I tought it had problems with the maximum amount of files in analisys, the one you pointed out before. But now I tried to change it to a specific directory as you suggested (<directories check_all="yes" whodata="yes" report_changes="yes">E:\\Documents\Username</directories> <directories check_all="yes" whodata="yes" report_changes="yes">C:\\Users\username\test</directories>), and after restarting the agent it doesn't show the changes I'm making in that directory (adding a simple txt and an image file in both folders). The log file you mentioned only alerts me of the "Ossec agent started" event and it says nothing about adding a file.
Could it be a problem of me initially using more then the "set file limit"? I'm telling you this because before making these path changes, in the Web UI, under Integrity monitoring - Events, it showed this event "The file limit set for this agent is 100000. Now, 100000 files are being monitored and no more files will be monitored. Change this setting in centralized configuration or locally on the agent."
One last clarification about the Vulnerability tests, I think the pc with the id 002 doesn't have vulnerabilites at all, probably my fault, I had just re-run an update on all the software present. Sorry for my mistake, I'll now try to install something old, with known vulnerabilities.
Thank you another time for your patience!
Miguel Angel Cazajous
Oct 25, 2022, 5:14:47 PM10/25/22
to Wazuh mailing list
Hi,
Exactly, here you can take a look at all the configuration options available for Syscheck.
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#file-limit
Take into account that increasing that value too much may lead to performance issues, and may affect the frequency option value if the time is too short to monitor a big number of files.
With respect to Vulnerability Detector we may find some agents that do not report vulnerabilities, but installing some well-known vulnerable package like the one I recommended (Wireshark 2.4.5) should trigger several vulnerabilities.
I personally tested installing that package. This is the result.
You can see that 62 out of 64 vulnerabilities are related to the Wireshark package, maybe the 2 remained vulnerabilities in my environment are fixed by some KB installed in your system.
Let me know how your test goes. Regards!
Exactly, here you can take a look at all the configuration options available for Syscheck.
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#file-limit
Take into account that increasing that value too much may lead to performance issues, and may affect the frequency option value if the time is too short to monitor a big number of files.
With respect to Vulnerability Detector we may find some agents that do not report vulnerabilities, but installing some well-known vulnerable package like the one I recommended (Wireshark 2.4.5) should trigger several vulnerabilities.
I personally tested installing that package. This is the result.
You can see that 62 out of 64 vulnerabilities are related to the Wireshark package, maybe the 2 remained vulnerabilities in my environment are fixed by some KB installed in your system.
Let me know how your test goes. Regards!
Reply all
Reply to author
Forward
0 new messages