FIM on MS (notification when file is changed)

M G

unread,

Apr 25, 2023, 12:49:00 PM4/25/23

to Wazuh mailing list

Hello Wazuh Team,

I have problem with the FIM configuration on Windows OS.
I would like to get notification when file "test" in folder_test folder have any changes.

Currently, I am receiving alerts when a file is added or removed, but not when its content is changed.

agent conf:
<syscheck>
<directories check_all="yes" realtime="yes" whodata="yes" restrict="\test" report_changes="yes">C:\folder_test</directories>
</syscheck>

I have rule:
<rule id="100025" level="10">
<category>ossec</category>
<decoded_as>syscheck_integrity_changed</decoded_as>
<match>test</match>
<description>Important file modified in the system.</description>
<group>syscheck,syscheck_entry_modified,syscheck_file</group>
</rule>

and ofcourse default rule
- 550 changes
- 553 delete
- 554 add

Regards

Mateusz

Francisco Tuduri

unread,

Apr 25, 2023, 2:54:53 PM4/25/23

to Wazuh mailing list

Hello M G!

I have tested your rule in my environment and see that your custom rule got tripped successfully when modifying a "test" file in the "C:\folder_test".

Could you please:

- Share what version(Manager/Agent) of Wazuh are you using.
- Confirm that rule 550 gets tripped when you modify the test file.

Here is another approach that I have tested successfully:

<if_sid>550</if_sid>
<field name="file">\\folder_test\\test</field>

<description>Important file modified in the system.</description>
<group>syscheck,syscheck_entry_modified,syscheck_file</group>
</rule>

You can check this guide to see how to use other FIM fields on the rules.

Let me know how it goes.
Regards!

M G

unread,

Apr 26, 2023, 3:52:40 AM4/26/23

to Wazuh mailing list

Hello Francisco,

Thank you for the answer and your test.

1a. manager - 4.4.1

1b. agent - v4.4.1

2. No. I don't have any event where rule.id = 550 on Windows systems (I don't have problem with Linux)

3. I have tried using your rule, but it still does not work.

In my opinion, I have an incorrect configuration of the FIM

Regards

Mateusz

Francisco Tuduri

unread,

Apr 26, 2023, 8:56:21 AM4/26/23

to Wazuh mailing list

Hello Mateusz!

Ok, so you don't get any rule id 550 on Windows systems. Just to confirm, rules 553(delete) and 554(add) are working correctly with your Windows endpoints, right?

Yes, it could be an incorrect configuration.

On my test I just used the default Windows agent configuration and added the <directories> config that you provided.

Could you share your full <syscheck> configuration for one of these agents?

Are you using centralized configuration for FIM? As mentioned here: If a directory is specified both in a centralized configuration and on the Wazuh agent's ossec.conf, the centralized configuration will take preference and override the local configuration.

So please check the syscheck config on both the ossec.conf and shared/agent.conf.

Regards!

M G

unread,

Apr 26, 2023, 10:51:41 AM4/26/23

to Wazuh mailing list

Hi Francisco,

"Ok, so you don't get any rule id 550 on Windows systems. Just to confirm, rules 553(delete) and 554(add) are working correctly with your Windows endpoints, right?"

Yes, 553 and 554 working correctly. 550 - 0 events

This is my settings:

ossec.conf

<syscheck>

<disabled>no</disabled>


<frequency>43200</frequency>


<directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>

<directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$">%WINDIR%\SysNative</directories>
<directories recursion_level="0">%WINDIR%\SysNative\drivers\etc</directories>
<directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\SysNative\wbem</directories>
<directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\SysNative\WindowsPowerShell\v1.0</directories>
<directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\SysNative</directories>


<directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$">%WINDIR%\System32</directories>
<directories recursion_level="0">%WINDIR%\System32\drivers\etc</directories>
<directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\System32\wbem</directories>
<directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\System32\WindowsPowerShell\v1.0</directories>
<directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\System32</directories>

<directories realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>

<ignore>%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</ignore>

<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>


<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>


<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final</registry_ignore>


<windows_audit_interval>60</windows_audit_interval>


<process_priority>10</process_priority>


<max_eps>100</max_eps>


<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>

shared/agent.conf

<agent_config>



</agent_config>

<agent_config>

<syscheck>

<frequency>120</frequency>
</syscheck>
</agent_config>

<agent_config>

<syscheck>
<directories check_all="yes" realtime="yes" whodata="yes" restrict="test" report_changes="yes">C:\folder_test</directories>
</syscheck>

</agent_config>

I found three problems.

1. If on config I have whodata="yes" then on web application (Agents/lab/Configuration/Integrity monitoring) I have "no" for Enable realtime monitoring.

<directories check_all="yes" realtime="yes" whodata="yes" restrict="test" report_changes="yes">C:\folder_test</directories>

If I remove whodata="yes" from conf then Enable realtime monitoring = yes

2. For the test I use

then I got this wrong path on log

c:\program files (x86)\ossec-agent\queue\diff\local\c\program files (x86)\ossec-agent\queue\diff\local\c\programdata\microsoft\windows defender\definition updates\default\nisfull.vdm\last-entry.gz\last-entry.gz

propably this is a related with this issue: https://github.com/wazuh/wazuh/issues/15619

3. I found

on https://www.ossec.net/docs/docs/manual/syscheck/index.html

Regards

Mateusz

Francisco Tuduri

unread,

Apr 26, 2023, 2:33:39 PM4/26/23

to Wazuh mailing list

Hello Mateusz!

About the three points that you mention:

"1. If on config I have whodata="yes" then on web application (Agents/lab/Configuration/Integrity monitoring) I have "no" for Enable realtime monitoring."

This is expected because whodata implies realtime monitoring. You can see that here. So when whodata is enabled the realtime configuration is ignored.

"2. For the test I use <directories report_changes="yes" check_all="yes">*</directories> then I got this wrong path on log"

I'll give this a look, but it is not recommended to monitor all directories and files. And you will probably reach the max number of monitored directories, probably leaving some important ones out of it.

"3. I found 'This option is only available on Unix-like systems.' on https://www.ossec.net/docs/docs/manual/syscheck/index.html"

In Wazuh this has been supported since 2017, according to the changelog: "Report changes (FIM file diffs) to Windows agent."

I have tested successfully in a Windows 11 agent with Wazuh 4.4.1.

I'll tell you the test that I run so you can repeat the steps and hopefully we will find a clue about what is going on:

Manager 4.4.1
Agent 4.4.1 on Windows 11
On the agent:
- I have the "C:\folder_test" directory with two files: "test" and "sample.txt"
- Enable debug log:
  - on internal_options.conf set the windows.debug option to 2.
  - This will generate a lot of logging information on ossec.log. You should set it back to 0 after this test.
- Restart the agent.
On the manager
- Configure agent.conf
  - I used this configuration for the <directories>, I just removed realtime, and added the "\" to the restrict:
    - <directories check_all="yes" whodata="yes" restrict="\test" report_changes="yes">C:\folder_test</directories>
Now the agent should have received the agent.conf and restarted.
Make a change to the "C:\folder_test\test" file
Check the agent's log:
- You can run this command from PowerShell: Select-String -Path 'C:\Program Files (x86)\ossec-agent\ossec.log' -Pattern "folder_test"
- This is what I got:

ossec.log:164:2023/04/26 14:44:41 wazuh-agent[18824] syscheck.c:186 at Start_win32_Syscheck(): INFO: (6003):
Monitoring path: 'c:\folder_test', with options 'size | permissions | owner | group | mtime | inode | hash_md5 |
hash_sha1 | hash_sha256 | attributes | report_changes | whodata'.
ossec.log:165:2023/04/26 14:44:41 wazuh-agent[18824] syscheck.c:194 at Start_win32_Syscheck(): DEBUG: (6356): Maximum
file size limit to generate diff information configured to '51200 KB' for 'c:\folder_test'.
ossec.log:245:2023/04/26 14:44:46 wazuh-agent[18824] create_db.c:1227 at fim_check_restrict(): DEBUG: (6203): Ignoring
entry 'c:\folder_test\sample.txt' due to restriction '\test'
ossec.log:251:2023/04/26 14:44:46 wazuh-agent[18824] win_whodata.c:157 at set_winsacl(): DEBUG: (6266): The SACL of
'c:\folder_test' will be configured.
ossec.log:11406:2023/04/26 14:45:28 wazuh-agent[18824] run_check.c:115 at fim_send_sync_control(): DEBUG: (6317):
Sending integrity control message: {"component":"fim_file","type":"integrity_check_global","data":{"id":1682531128,"ver
sion":2,"begin":"c:\\folder_test\\test","end":"c:\\windows\\win.ini","checksum":"595d61a08082143824063f5cc93f50eb7f6fb2
aa"}}
ossec.log:11408:2023/04/26 14:45:28 wazuh-agent[18824] win_whodata.c:157 at set_winsacl(): DEBUG: (6266): The SACL of
'c:\folder_test' will be configured.
ossec.log:11443:2023/04/26 14:45:33 wazuh-agent[18824] run_check.c:127 at send_syscheck_msg(): DEBUG: (6321): Sending
FIM event: {"type":"event","data":{"path":"c:\\folder_test\\test","version":2,"mode":"whodata","type":"modified","times
tamp":1682531133,"attributes":{"type":"file","size":90,"perm":{"S-1-5-32-544":{"name":"Administradores","allowed":["del
ete","read_control","write_dac","write_owner","synchronize","read_data","write_data","append_data","read_ea","write_ea"
,"execute","read_attributes","write_attributes"]},"S-1-5-18":{"name":"SYSTEM","allowed":["delete","read_control","write
_dac","write_owner","synchronize","read_data","write_data","append_data","read_ea","write_ea","execute","read_attribute
s","write_attributes"]},"S-1-5-32-545":{"name":"Usuarios","allowed":["read_control","synchronize","read_data","read_ea"
,"execute","read_attributes"]},"S-1-5-11":{"name":"Usuarios autentificados","allowed":["delete","read_control","synchro
nize","read_data","write_data","append_data","read_ea","write_ea","execute","read_attributes","write_attributes"]}},"ui
d":"S-1-5-32-544","user_name":"Administradores","inode":0,"mtime":1682531132,"hash_md5":"116babf184a523a8c8752a2abd95a5
33","hash_sha1":"94292c3372b8fe7bcfc8f9ed37c451640fe9cad3","hash_sha256":"fe4180fbb51ab43a39507e604c1fe22a745b1eecae512
51e137ec098a95565b8","attributes":"ARCHIVE","checksum":"0c948b0c44ddcff3bd62a976b5f4486d19329953"},"changed_attributes"
:["size","mtime","md5","sha1","sha256"],"old_attributes":{"type":"file","size":66,"perm":{"S-1-5-32-544":{"name":"Admin
istradores","allowed":["delete","read_control","write_dac","write_owner","synchronize","read_data","write_data","append
_data","read_ea","write_ea","execute","read_attributes","write_attributes"]},"S-1-5-18":{"name":"SYSTEM","allowed":["de
lete","read_control","write_dac","write_owner","synchronize","read_data","write_data","append_data","read_ea","write_ea
","execute","read_attributes","write_attributes"]},"S-1-5-32-545":{"name":"Usuarios","allowed":["read_control","synchro
nize","read_data","read_ea","execute","read_attributes"]},"S-1-5-11":{"name":"Usuarios autentificados","allowed":["dele
te","read_control","synchronize","read_data","write_data","append_data","read_ea","write_ea","execute","read_attributes
","write_attributes"]}},"uid":"S-1-5-32-544","user_name":"Administradores","inode":0,"mtime":1682530808,"hash_md5":"17d
9616cc5cff6a76961a3605ff100e7","hash_sha1":"454e0d18b710edd3edad6bf247536263ee80ef95","hash_sha256":"9fed3233fa3e545bfb
f9802de00dfbb1cadcb60987ac8ab1229d9e65194b3309","attributes":"ARCHIVE","checksum":"c9018415136e6f814447e110a6746540bf3e
68e5"},"audit":{"user_id":"S-1-5-21-1172456684-2847092878-83231946-500","user_name":"Administrador","process_name":"C:\
\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_11.2302.26.0_x64__8wekyb3d8bbwe\\Notepad\\Notepad.exe","process_i
d":2652},"content_changes":"---\n> \n> \n> \n> n\n> e\n> w\n> \n> l\n> i\n> n\n> e\n> \n> \n> \n"}}

In this case everything is working correctly, the last entry is the message that notifies about the change to the "test" file

Could you try to repeat this test and check if there is anything different in the log, or just share the log? Thanks!

Regards!

M G

unread,

Apr 27, 2023, 7:53:01 AM4/27/23

to Wazuh mailing list

Hello Francisco,

Thank you for your comprehensive answer!

I use Windows Server 2016 (agent v. 4.4.1), but for me, we have this same log

i add to the file "new text" on new line and I see this change at the log.

Unfortunately I don't see this event on app. I have rule 553 and 554 but not 550 (or other)

I don't have any idea why :)

I have manager on Rocky Linux (v. 4.4.1)

Regards!

Francisco Tuduri

unread,

Apr 27, 2023, 9:13:09 AM4/27/23

to Wazuh mailing list

Hello Mateusz!

Thanks for running the test.
It is a strange case, but now we know that the agent is sending the diff event. And clearly manager and agent are actively communicating.
Let's go back to the manager.

Is there any other change to the ruleset besides your custom rule? Any rule that could be capturing this event?

The rule 550 is on the file ruleset/rules/0015-ossec_rules.xml, any change to that rule?
- It should be:

<category>ossec</category>
<decoded_as>syscheck_integrity_changed</decoded_as>

<description>Integrity checksum changed.</description>
<mitre>
<id>T1492</id>
</mitre>
<group>syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>

Keep in mind that if the diff event triggers your custom rule it would not trigger the 550 rule. I mention this just in case you are filtering only the events 553, 554, 550.

There is one more thing we can check. Let's see if the manager is receiving the event, even if it is not firing an alert.

Enable the logall_json option on the manager's ossec.conf: "This toggles whether to store events even when they do not trip a rule with results written to /var/ossec/logs/archives/archives.json."
Restart the manager.
Repeat the test modifying the test file on the agent.
Check the logs/archives/archives.json to see if the diff event was received.
You can use something like this:
- cat /var/ossec/logs/archives/archives.json | grep folder_test

Let me know what you find.
Regards!

M G

unread,

Apr 28, 2023, 10:50:20 AM4/28/23

to Wazuh mailing list

Hi Francisco

I found where is a problem.

I have rule:

<rule id="100005" level="10">

<category>ossec</category>
<decoded_as>syscheck_integrity_changed</decoded_as>

<description>Important file modified in the system.</description>
<group>syscheck,syscheck_entry_modified,syscheck_file</group>
</rule>

I don't understand why this rule trigger us event. My VM with windows have name VM2. In regex I don't use "test"

Next event go to rule 100017, and this is a place where we lost event

Lower I have 4 rule.

<rule id="100018" level="10">
<if_sid>100017</if_sid>
<match>aaaaaaaaaaaaa</match>
<description>Rootkit - FP</description>
</rule>

<rule id="100019" level="10">
<if_sid>100017</if_sid>
<match>bbbbbbbbbbbbb</match>
<description>Rootkit - FP</description>
</rule>

<rule id="100020" level="10">
<if_sid>100017</if_sid>
<match>ccccccccccc</match>
<description>Rootkit - FP</description>
</rule>

<rule id="100021" level="10">
<if_sid>100017</if_sid>
<match>dddddddddd</match>
<description>Rootkit - FP</description>
</rule>

1. If I remove 100005 - event with rule 550

2. If I remove 100017 - event with rule 100005

3. If I remove 100017 and change if_sid on rule 100018-100021 from 100017 to 100005 (example on screen)- event with rule 100005

example:

to

Conclusion:

1. I don't have any idea why event trigger rule 100005

2. I lost event on rule 100017

Regards!

Mateusz

P.S. Sorry, but I'm going away for a few days, so I'll be out of touch

Francisco Tuduri

unread,

Apr 28, 2023, 2:42:20 PM4/28/23

to Wazuh mailing list

Hi Mateusz!

Good! We are getting somewhere!

I've been checking your rule 100005 and I found two issues:

The <regex> ends with a pipe '|' and it is actually matching everything, so any syscheck_integrity_changed event is going through that rule.
The <location> option in the case of syscheck events has static location of "syscheck": https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#location

Also, you can check the FIM fields rule mapping to have more control over the matching conditions of the rule. The regex option will search for a match in the log event. But if you are interested in just matching something on the file path you could use <field name="file"> as is shown here: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-fields-rule-mapping.html?highlight=fim%20mapping#rule-mapping-examples

Regards!

M G

unread,

May 10, 2023, 4:41:51 AM5/10/23

to Wazuh mailing list

Hi Francisco,

Oh dear. I'm sorry. I wasted a lot of your time, I was looking for the mistake in the wrong place.
Thank you for your help.

Regards!

Francisco Tuduri

unread,

May 10, 2023, 3:15:14 PM5/10/23

to Wazuh mailing list

No problem Mateusz!

I'm glad we could solve the problem.

Regards!

Reply all

Reply to author

Forward