Flooded with alerts 99901
33 views
Skip to first unread message
Xavier Mertens
Feb 18, 2026, 8:08:14 AM (6 days ago) Feb 18
to Wazuh | Mailing List
Hi Wazuh'ers,
I recently started to feed my CDB list /var/ossec/etc/lists/malicious-ioc/malicious-hashes with MISP IOCs (malicious SHA256 hashes).
Now, I'm flooded with alerts 99901 ("FIM: File with known malware hash detected: xxx") and the reported SHA256 is ALWAYS the same!? (They are all false-positives)
Any idea? Where / how to investigate this?
/x
Olamilekan Abdullateef Ajani
Feb 18, 2026, 8:58:32 AM (6 days ago) Feb 18
to Wazuh | Mailing List
Hello Xmertens,
After reviewing this, what comes to mind is, if the reported SHA256 is always identical, the first thing to verify is whether Wazuh is actually detecting the same file repeatedly or whether the hash itself is problematic.
Have you reviewed the alert itself to isolate the repeated SHA256 value, and is the file path always the same?
I would recommend validating the repeated SHA256 against VirusTotal or calculating it locally on the affected host to confirm which file content is producing the match.
False positives of this nature, as you have mentioned, are most often caused by an IOC list containing hashes of benign or extremely common files rather than an issue with FIM.
Please let me know what you find.Xavier Mertens
Feb 18, 2026, 9:08:38 AM (6 days ago) Feb 18
to Wazuh | Mailing List
The file path that is reported "changed" is always different and the hash has checked on VT. It corresponds to an Android package! Nothing related to my systems...
Olamilekan Abdullateef Ajani
Feb 20, 2026, 9:48:32 AM (4 days ago) Feb 20
to Wazuh | Mailing List
Hello Xmertens,
Since the hash is constant while file paths change based on what you just said, I believe the issue lies with how the CDB list is being parsed. I would recommend inspecting the malicious-hashes list for hidden characters or formatting anomalies, especially if the data is coming from MISP automation. Even a single malformed line can cause unexpected matches.
As a quick test, try removing the repeated SHA256 entry, rebuild the CDB, and then monitor whether the alerts persist.
Please let me know.
Message has been deleted
Xavier Mertens
Feb 20, 2026, 12:18:39 PM (4 days ago) Feb 20
to Wazuh | Mailing List
Ok, I did more tests... I got an alert from one agent:
sqlite> select * from file_entry where path = "/usr/bin/objdump";
/usr/bin/objdump|0|1771606330|1|131583|72c9a40c8b69049c75c87f7d649e211623eccf77|2051|23600141|24|rwxrwxrwx||0|0|root|root|d41d8cd98f00b204e9800998ecf8427e|da39a3ee5e6b4b0d3255bfef95601890afd80709|e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855|1743416179|1
sqlite>
root@host:/var/ossec/queue/fim/db# sha256sum /usr/bin/objdump
afd9c7433c96cb0f37df99cab98fc860bbbe2bed17f37df66254a8778adfc61d /usr/bin/objdump
/usr/bin/objdump|0|1771606330|1|131583|72c9a40c8b69049c75c87f7d649e211623eccf77|2051|23600141|24|rwxrwxrwx||0|0|root|root|d41d8cd98f00b204e9800998ecf8427e|da39a3ee5e6b4b0d3255bfef95601890afd80709|e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855|1743416179|1
sqlite>
root@host:/var/ossec/queue/fim/db# sha256sum /usr/bin/objdump
afd9c7433c96cb0f37df99cab98fc860bbbe2bed17f37df66254a8778adfc61d /usr/bin/objdump
The timestamp corresponds to "Friday, February 20, 2026 4:52:10 PM" -> I got the alert 2 mins later in my TheHive. Why is the SHA256 wrong?
I checked in the FIM database... The SHA256 is not the same!? I'm lost...
/x
Xavier Mertens
Feb 20, 2026, 12:22:26 PM (4 days ago) Feb 20
to Wazuh | Mailing List
This is really weird: On my agent, 1085 files have the same sha256!?
sqlite> select count(*) from file_entry where hash_sha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855";
1085
1085
On Wednesday, February 18, 2026 at 2:58:32 PM UTC+1 Olamilekan Abdullateef Ajani wrote:
Reply all
Reply to author
Forward
0 new messages