I went to the OSSEC presentation at AusCERT and was impressed, so I ran up
a test box with about five linux servers sending logs via syslog and one
Win2003 box with the agent on it. I'm impressed with what it can do, and
am now trying my hand at custom rules.
I want to receive an alert whenever there is software installed on the
Windows 2003 box so I can see if updates etc are installed properly and no
one puts any unauthorised programs on the server.
The Windows Msi installer events are information events seem to all have
Event IDs like: 117xx. I've tried the following to get it working, but no
luck yet.
In msauth_rules.xml it has the following:
<rule id="18101" level="0">
<if_sid>18100</if_sid>
<status>^INFORMATION</status>
<description>Windows informational event.</description>
</rule>
Since I'm after information events and the level of the above rule is 0, I
figured it would drop the event and go no further, so I put the following
in the local_rules.xml
<group name="local,windows,">
<rule id="18101" level="1" overwrite="yes">
<if_sid>18100</if_sid>
<status>^INFORMATION</status>
<description>Windows informational event.</description>
</rule>
<!-- Trying to alert Windows application installations. -->
<rule id="100101" level="8">
<if_sid>18101</if_sid>
<id>^117</id>
<description>Windows Installation Activity</description>
</rule>
</group>
Am I going about this the right way or is there something else I need to
do?
Also, when I edit the rules or the configuration files, do I need to
restart the server and/or agent? I've been restarting the server, because
what I understand from the wiki is that the server sends new rules out to
the agents.
Any help would be much appreciated.
-GP
***********************************************************************
WARNING: This e-mail (including any attachments) may contain legally
privileged, confidential or private information and may be protected by
copyright. You may only use it if you are the person(s) it was intended
to be sent to and if you use it in an authorised way. No one is
allowed to use, review, alter, transmit, disclose, distribute, print
or copy this e-mail without appropriate authority.
If this e-mail was not intended for you and was sent to you by mistake,
please telephone or e-mail me immediately, destroy any hardcopies of
this e-mail and delete it and any copies of it from your computer
system. Any right which the sender may have under copyright law, and
any legal privilege and confidentiality attached to this e-mail is not
waived or destroyed by that mistake.
It is your responsibility to ensure that this e-mail does not contain
and is not affected by computer viruses, defects or interference by
third parties or replication problems (including incompatibility with
your computer system).
Opinions contained in this e-mail do not necessarily reflect the
opinions of the Queensland Department of Main Roads, Queensland
Transport or Maritime Safety Queensland, or endorsed organisations
utilising the same infrastructure.
***********************************************************************
