[Aide] Dev: support for external hash whitelist/blacklist?

Discussion:

Julien T

2014-04-24 03:06:45 UTC

Hello Devs,

I know aide developpment is going at slow pace but any chance than future
0.16 get a way to interface with external hash databases?
like ISC SANS (https://isc.sans.edu/tools/hashsearch.html), Virustotal (
https://www.virustotal.com/#search) or Team Cymru MHR (
https://www.team-cymru.org/Services/MHR/) ?

Most probably a local interface in python and local db cache would be
needed but first if there were some appropriate hook, it would be cool!

Thanks a lot

Julien
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.tut.fi/pipermail/aide/attachments/20140423/b937d62b/attachment.html>

Richard van den Berg

2014-04-24 08:05:36 UTC

Permalink

Most probably a local interface in python and local db cache would be needed but first if there were some appropriate hook, it would be cool!

This is pretty easy to script right now. The aide.db is just a flat text file (perhaps gzipped). All you would need to do is enable the hashes used by the repositories in aide.conf, and convert them from the representation in the aide.db to the one used by the repositories. There is some sample code for that in the aide tgz IIRC.

Kind regards,

Richard

Julien T

2014-04-24 17:03:43 UTC

Permalink

Post by Julien T

Post by Julien T
Most probably a local interface in python and local db cache would be

needed but first if there were some appropriate hook, it would be cool!
This is pretty easy to script right now. The aide.db is just a flat text
file (perhaps gzipped). All you would need to do is enable the hashes used
by the repositories in aide.conf, and convert them from the representation
in the aide.db to the one used by the repositories. There is some sample
code for that in the aide tgz IIRC.

I think I was more looking it the other way around: use other hash database
to improve aide output classifying or removing.
Something like
http://blog.rootshell.be/2013/05/13/improving-file-integrity-monitoring-with-ossec/(which
is not feasible with current out-of-the-box ossec)

in 0.15.1 and 0.16a2, I have the contrib dir:
aide-attributes.sh bzip2.sh gpg2_check.sh
gpg2_update.sh gpg_check.sh gpg_update.sh sshaide.sh
Don't seem there is a conversion script to me.

Cheers,

Julien
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.tut.fi/pipermail/aide/attachments/20140424/32f92ba1/attachment.html>

Richard van den Berg

2014-04-24 21:31:45 UTC

Permalink

Post by Julien T
Don't seem there is a conversion script to me.

I guess not. Basically what you need is a base 64 (what aide.db uses) to hex (what most repositories
use) converter. In python that would be:

binascii.b2a_hex(binascii.a2b_base64(string_from_aide_db))

Kind regards,

Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.tut.fi/pipermail/aide/attachments/20140424/dbf17631/attachment.html>