ossec-hids icon indicating copy to clipboard operation
ossec-hids copied to clipboard

Published 20 hours ago verified publisher icon ossec

Bugfix: wrong slash for windows filenames.

Open reyjrar opened this issue 10 years ago • 12 comments

Subtle bug, most people probably don't realize this is happening.

reyjrar avatar Jun 24 '14 20:06 reyjrar

I am going to accept this and get people testing this. It looks correct to me.

jrossi avatar Jun 24 '14 20:06 jrossi

How will this affect rules which are already written to include both forward and backwards slashes?

mstarks01 avatar Jun 24 '14 20:06 mstarks01

@mstarks01 bring up a question i think both directions of slash work.

jrossi avatar Jun 24 '14 20:06 jrossi

So for a long time now windows accepts / in place of \ . So the function should always work. What this bug does fix is that paths for realtime scan would be different this none realtime scans. This is a bug we should address and I think @reyjrar has done it here.

jrossi avatar Jun 24 '14 20:06 jrossi

I think this only pertains to realtime discovered files on Windows as they were passed to the analysisd. So if you had a rule like

     <rule id="x" level="12">
       <if_group>whatever_syscheck_is_i_forget</if_group>
       <match>C:\Windows\System32\MyCustom.dll</match>
       <description>IMPORTANT FILE MODIFIED</description>
     </rule>

It would never match. Also, filename isn't available in rules.. going to fix that ;)

reyjrar avatar Jun 24 '14 20:06 reyjrar

There are ignores in ossec.conf that looks like this: C:\WINDOWS/system32/CatRoot

Obviously, that's kludgey, so they should be updated along with this patch if they are affected and the release notes should mention this in case someone has written a local ignore that will no longer work.

mstarks01 avatar Jun 24 '14 20:06 mstarks01

I am still completely lost on the correct way forward. The patch is correct and fixes a bug, but that big is now codified in configuration, but only for real time.

Just talking this out now has made the choice clear. We should accept the patch and fix. While making it a highlight issue. What about scanning for problem paths during upgrade?

jrossi avatar Jul 12 '14 12:07 jrossi

@reyjrar any way I could get you write up some clarification docs for around this? Then we will make sure that all the ossec rules are inline and working the same way.

Thank you, @jrossi

jrossi avatar Jul 13 '14 19:07 jrossi

pushing this out till after 2.9 so that we can put this in the release notes about an upcoming change that could require manual changes to make sure rules still work.

jrossi avatar Sep 02 '14 15:09 jrossi

I wish I could, but we're not deployed on Windows Servers at this point. Is there someone with a Windows Setup that can test the patch and see what breaks?

reyjrar avatar Sep 05 '14 18:09 reyjrar

I can test the patch but would you be able to outline what it is you want me to test exactly?

awiddersheim avatar Oct 06 '14 18:10 awiddersheim

@awiddersheim We understand the patch now and it's a bug in paths on Windows and that people could have codified in their configs. WE need to release 2.9 with a large noticed that we are going to be fixing a bug that could break installs.

jrossi avatar Oct 06 '14 19:10 jrossi