Issue #11 open

Syscheck Alerts Checksum is 'xxx'

mstarks01
created an issue

I am not entirely sure if this is a bug, but I think it is. I don't know of a reason why OSSEC would be doing this. Occasionally, I get alerts like this:

Integrity checksum changed for: 'C:\WINDOWS/system32/config/software' Old md5sum was: 'dab8ec9e6ca565696a350fe4b611d9c6' New md5sum is : 'xxx' Old sha1sum was: '1885a65891a03d8cc62cf363934eeaffe1aedb26' New sha1sum is : 'xxx'

So the new checksum is invalid for some reason. Sometimes it is reversed, like this:

Integrity checksum changed for: 'C:\WINDOWS/Tasks/GoogleUpdateTaskUserS-1-5-21-83438659-57284352-1076757898-1009UA.job' Old md5sum was: 'xxx' New md5sum is : '3c79e1a9d80038d6e2b8fef3944b8845' Old sha1sum was: 'xxx' New sha1sum is : 'ba84b6adfac06cc4beadbfd2d93f599364b2ecec'

Let me know if you need more info.

Comments (4)

  1. Daniel Cid repo owner

    Always on Windows :)

    This would only happen if for some reason the file is in a "lock" mode or it failed to read the file... Btw, is C:\WINDOWS/system32/config/software a directory?

  2. mstarks01 reporter

    C:\WINDOWS/system32/config/software and C:\WINDOWS/Tasks/GoogleUpdateTaskUserS-1-5-21-83438659-57284352-1076757898-1009UA.job are both files. This also frequently happens to C:\WINDOWS/bootstat.dat and a few others. In my case, I am monitoring all of WINDIR and filtering out noise over time. This is primarily a research effort to see how comprehensive I can make the WINDIR monitoring while still being useful.

    Perhaps if OSSEC can't read the file it could try again in a few seconds?

    And yes, I haven't seen this happen on 'nix, despite monitoring just about everything that isn't a log :)

  3. mstarks01 reporter

    On a related note, I get alerts like this frequently:

    Integrity checksum changed for: '/root/downloads/ossec-hids-2.6/src/shared/read-alert.c'

    Ownership was '0', now it is '500'

    Group ownership was '0', now it is '500'

    Then the next alert has the 0 bytes thing reversed. This also happens with file size.

  4. Log in to comment