Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SHA256 enrichment #222

Open
Ushakovaaa opened this issue Aug 5, 2024 · 1 comment
Open

SHA256 enrichment #222

Ushakovaaa opened this issue Aug 5, 2024 · 1 comment

Comments

@Ushakovaaa
Copy link

Hi!
I have added sha256 enrichment to the SYSCALL event if it has an "exe" field. However, it is not possible to compile a laurel file that works on all linux versions (ubuntu, debian, oracle, etc). I have to compile the file on each version. I'm not a developer, so I'm asking for your advice. How can I compile a laurel file to fit all versions? When downloading a ready-made laurel file from your repository, it works on all versions

I think this will be relevant for everyone. It would be great to see SHA256 enrichment out of the box

Example event
<134>Jun 24 13:54:40 srv-test laurel: {"ID":"1719226343.855:96490","NODE":"10.10.10.10","SYSCALL":{"success":"yes","exit":0,"items":2,"ppid":2309455,"pid":2309456,"tty":"pts0","ses":985,"comm":"whoami","exe":"/usr/bin/whoami","key":"execve","ARGV":["0x55c7fd20ff00","0x55c7fd215620","0x55c7fd1e8820","0x8"],"AUID":"root","UID_GROUPS":["bin","daemon","sys","adm","disk","wheel","proc","root"],"UID":"root","GID":"root","EUID":"root","SUID":"root","FSUID":"root","EGID":"root","SGID":"root","FSGID":"root","ARCH":"x86_64","SYSCALL":"execve","PID":{"EVENT_ID":"1719226343.855:96490"},"SHA256":"88086a021b59b957ea6fc2f78d450aece3bbc61ca67a843599a396904691c7fb"},"EXECVE":{"argc":1,"ARGV_STR":"whoami"},"CWD":{"cwd":"/root"},"PATH":[{"item":0,"name":"/usr/bin/whoami","inode":1309003,"dev":"08:02","mode":"0o100755","rdev":"00:00","nametype":"NORMAL","cap_fp":"0x0","cap_fi":"0x0","cap_fe":0,"cap_fver":"0x0","cap_frootid":"0","OUID":"root","OGID":"root"},{"item":1,"name":"/lib64/ld-linux-x86-64.so.2","inode":785061,"dev":"08:02","mode":"0o100755","rdev":"00:00","nametype":"NORMAL","cap_fp":"0x0","cap_fi":"0x0","cap_fe":0,"cap_fver":"0x0","cap_frootid":"0","OUID":"root","OGID":"root"}],"PROCTITLE":{"ARGV":["whoami"]}}
@hillu
Copy link
Collaborator

hillu commented Aug 5, 2024

For building Laurel binaries that work on old Linux distributions, please have a look at the Github workflows. The main trick making sure that the resulting binary does not depend on too new glibc symbols. You can achieve that by building on an old Linux distro, such as CentOS7, or on a Linux distro that does not use glibc as its default libc at all, such as Alpine.

If you like, feel free to post your SHA256 patch as a PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hillu @Ushakovaaa