Check in file hash on rootcheck

566 views
Skip to first unread message

Xabier Rodríguez Bouza

unread,
Aug 23, 2017, 2:25:27 AM8/23/17
to Wazuh mailing list
Hi,

Im trying to generate more rules for rootcheck which include known
hashes for malicious files but so far I couldn't find how to do it, just
how to check filenames or registry entries (windows).

Is there a way that this can be done?

Thanks in advance!


Santiago Bassett

unread,
Aug 23, 2017, 3:09:09 AM8/23/17
to Xabier Rodríguez Bouza, Wazuh mailing list
Hi Xabier, 

do you already have a list of malicious hashes? There are different approaches here, for example you could create a CDB list and a rule that checks if the file belongs to it (triggering an alert if that happens). 

I've also seen cases where Wazuh has been integrated with TI (Threat Intelligence) sources, or services like Virustotal, but will need to take a better look at it, as I am not sure how this has been done.

Santiago



--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/16a0134c-e73a-19e1-47c6-50f6c1a10ba3%40kalrong.net.
For more options, visit https://groups.google.com/d/optout.

Xabier Rodríguez Bouza

unread,
Aug 23, 2017, 3:16:27 AM8/23/17
to wa...@googlegroups.com

Yeah, Im using sources like VT and MISP where I get a list of filenames, hashes, etc.

I think the CDB list could be a good approach while we keep this list updated from different sources, but not really sure how the alert must be created, Im checking the documentation but doesn't speak about hashes just ip's and users.

Thanks a lot for your quick response Santiago!

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

Xabier Rodríguez Bouza

unread,
Aug 24, 2017, 6:00:48 AM8/24/17
to wa...@googlegroups.com

I managed to create the CDB with a test hash and created the following rule upon new file creation:

<group name="syscheck">
  <rule id="69001" level="15">
    <if_sid>554</if_sid>
    <list field="syscheck.md5_after" lookup="match_key_value" check_value="^malware">etc/lists/md5-keys</list>
    <description>MD5 matches malware.</description>
  </rule>
</group>

But it doesn't work, I tried changing it to a simple match to see if it was the list part that was failing and then it triggered, I also tried with and without syscheck before the md5_after field.

Any ideas of what can be happening?

Thanks!

Xabier Rodríguez Bouza

unread,
Aug 24, 2017, 8:08:47 AM8/24/17
to wa...@googlegroups.com

Just asked in the #ossec IRC channel and looks like this rule works as expected on the ossec master branch, looks like there is something not merged in the wazuh fork, any ideas?

Xabier Rodríguez Bouza

unread,
Aug 24, 2017, 11:08:27 AM8/24/17
to wa...@googlegroups.com

mmm looks like its not working at all.

I have tried to mimic rule 598 but using cdb and still doesn't work:

<rule id="598" level="5">                                                                                          |
    <category>ossec</category>                                                                                       |
    <if_sid>554</if_sid>                                                                                             |
    <hostname>syscheck-registry</hostname>                                                                           |
    <group>syscheck,pci_dss_11.5,</group>                                                                            |
    <description>Registry Entry Added to the System</description>                                                    |
  </rule>       

cdb file contains syscheck-registry:test and was compiled with ossec-makelist and I created the following rule.

<rule id="69001" level="15">                                                                                    
    <if_sid>554</if_sid>                                                                                          

    <list field="hostname" lookup="match_key">etc/lists/md5-keys</list>                                          

    <description>MD5 matches malware.</description>                                                              
  </rule>  

If I change the list line with a simple match with the file name created it works. It seems like when list is used the field is not properly recognized or populated before checking for a match. I also tried changing from match_key to not_match_key but the result is the same, the rule doesn't trigger.

Jesus Linares

unread,
Aug 26, 2017, 2:04:04 PM8/26/17
to Wazuh mailing list, x...@kalrong.net
Hi Xabier,

how is your CDB list?. Your rule should work.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

Xabier Rodríguez Bouza

unread,
Aug 28, 2017, 5:00:19 AM8/28/17
to Jesus Linares, Wazuh mailing list

Hi Jesus,

This is the content of the file, as you can see I add a couple of tests but the first one is the one intended to work:

8b6742f65664caabe5e3f2bef207fb31:malware
malware:8b6742f65664caabe5e3f2bef207fb31
syscheck-registry:test

The file has been add to the config and ossec-makelist run.

Xabier Rodríguez Bouza

unread,
Sep 1, 2017, 2:23:33 AM9/1/17
to wa...@googlegroups.com

Any ideas about this? We are stuck here and not sure what else to try.

Currently we have this CDB:

8b6742f65664caabe5e3f2bef207fb31:malware
malware:8b6742f65664caabe5e3f2bef207fb31

That we are trying to match with this rule (set under local_rules.xml):

<group name="syscheck">
  <rule id="69001" level="15">
    <if_sid>554</if_sid>
    <list field="syscheck.md5_after" lookup="match_key_value" check_value="^malware">etc/lists/md5-keys</list>
    <description>MD5 matches malware.</description>
  </rule>
</group>


We have tried all the variants in lookup and even modified the field but got no matches even using then negative lookups to discard a sintax problem on the field or something. Is like it doesn't run that line, however if I change list for another field, the test filename for example, it triggers. Confussing.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

Xabier Rodríguez Bouza

unread,
Sep 7, 2017, 7:57:28 AM9/7/17
to wa...@googlegroups.com

No more ideas here then?

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
signature.asc

Xavier Rodriguez Bouza

unread,
Sep 25, 2017, 5:27:29 AM9/25/17
to Xabier Rodríguez Bouza, wa...@googlegroups.com
Just wanted to let you know that I have updated to latest container version and this is still not working :( I will keep trying things.
 
 

Alberto Marín

unread,
Sep 25, 2017, 12:20:53 PM9/25/17
to Wazuh mailing list
Hi Xavier,

Sorry for the late response. 


I've made this example using a CDB list to check if the MD5 belongs to a list of hashes.

First of all I've made a CDB list with the list of MD5 hashes and I've compiled it using ossec-makelist.

etc/lists/md5-keys

a992c07980ab70422c1f3e82a0517fff:


I've used the following rules:

<group name="attack,">
   <rule id="69001" level="15">
      <category>ossec</category>
      <decoded_as>syscheck_new_entry</decoded_as>
      <list field="md5" lookup="match_key">etc/lists/md5-keys</list>
      <description>New file matches malware IOC.</description>
      <group>malware,</group>
   </rule>
  
   <rule id="69002" level="15">
     <category>ossec</category>
     <decoded_as>syscheck_integrity_changed</decoded_as>
     <list field="md5" lookup="match_key">etc/lists/md5-keys</list>
     <description>New file matches malware IOC.</description>
     <group>malware,</group>
   </rule>
</group>

The field used is 'md5', corresponding to the field 'md5_before'.

Then I've added a new file with the specified MD5 and I've obtained the expected alert:

** Alert 1506355643.224444: mail - attack,malware,
2017 Sep 25 18:07:23 ubuntu->syscheck
Rule: 69001 (level 15) -> 'New file matches malware IOC.'
New file '/etc/malware' added to the file system.
File: /etc/malware
New size: 22
New permissions: 100644
New user: root (0)
New group: root (0)
New MD5: a992c07980ab70422c1f3e82a0517fff
New SHA1: d37c3dcfad7da300115c78c5af6a5fa72e49fe94
New date: Mon Sep 25 18:07:22 2017
New inode: 804370

I hope it helps.

Regards.

Xabier Rodríguez Bouza

unread,
Sep 25, 2017, 3:20:39 PM9/25/17
to wa...@googlegroups.com

Thanks a lot for you reply! I will test it tomorrow morning and let you know the results.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
signature.asc

Xabier Rodríguez Bouza

unread,
Sep 26, 2017, 5:35:21 AM9/26/17
to wa...@googlegroups.com

Hi Alberto,

Just tested and is working like a charm now, looks like the problem was the field name that should be md5 but it wasn't expecified anywhere.

I have done tests on different lookups and using if_sid and everything is working fine :)

Thanks a lot!

signature.asc

Alberto Marín

unread,
Sep 26, 2017, 5:58:48 AM9/26/17
to Wazuh mailing list
Hi Xavier,

I'm glad it helped. We will add a list of fields for syscheck in the next documentation updates.


Regards.

On Wednesday, August 23, 2017 at 8:25:27 AM UTC+2, Xabier Rodríguez Bouza wrote:

Xabier Rodríguez Bouza

unread,
Sep 26, 2017, 10:47:43 AM9/26/17
to wa...@googlegroups.com

A little detail, what would be the field in this case that I should pass to an active respons escript so it deletes the file that matches that rule?

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
signature.asc

Alberto Marín

unread,
Sep 26, 2017, 11:23:10 AM9/26/17
to Wazuh mailing list
Hi Xavier,

the only valid fields to be sent with AR are "dstuser", "srcip" and "filename". The "filename" field contents the name of the executable file on the agent, so you can use only the first two fields.
Take in account that both fields are validated by the regex "^[a-zA-Z.:_0-9-]*$".

Regards.

On Wednesday, August 23, 2017 at 8:25:27 AM UTC+2, Xabier Rodríguez Bouza wrote:

Xabier Rodríguez Bouza

unread,
Sep 26, 2017, 11:25:00 AM9/26/17
to wa...@googlegroups.com

So, there is no way to use an active response rule that takes the filename from the alert? Or maybe the syscheck.file_path is stored in dstuser o srcip?

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
signature.asc

Alberto Marín

unread,
Sep 26, 2017, 1:20:48 PM9/26/17
to Wazuh mailing list
Hi Xabier,

At the moment there is no simple way to send fields extracted from syscheck to the agent through AR.
AR is limited to those fields and it is not possible to change the extracted fields in syscheck.

It is clear that it is a limitation for the functionality that you want to implement, so we added it to our roadmap to solve it in a future release.

Best regards.


On Wednesday, August 23, 2017 at 8:25:27 AM UTC+2, Xabier Rodríguez Bouza wrote:
Reply all
Reply to author
Forward
0 new messages