I put this in based on instructions but cant get the log to be read. Am I missing anything here
-Derek Morris > To those who have been waiting for this. I'm sorry! I got side tracked with > a bunch of other projects and I forgot to send this to the list. I'm in the > process of setting up a Windows 2008 DHCP Server and I'll check to see that > these rules work for 2008 too. I've tried to provide instructions on how to > add this to your environment. Hopefully I didn't leave out any steps. > > 1. Modify the ossec.conf file on the DNS server to tell OSSEC to monitor the > DHCP log. These logs rotate daily and then get overwritten weekly. > > <ossec_config> > <localfile> > <location>%windir%\system32\dhcp\*.log</location> > <log_format>syslog</log_format> > </localfile> > </ossec_config> > > 2. Modify the decoder.xml file on the OSSEC server with the following > decoder. It is located in the ossec /etc folder. > > <decoder name="ms-dhcp"> > <prematch>\d+,\d+/\d+/\d+,\d+\p\d+\p\d+,</prematch> > > <regex>(\d+),\d+/\d+/\d+,\d+\p\d+\p\d+,(\.*),(\.*),(\.*),(\.*),(\.*)</regex> > <order>id, action, srcip, system_name, extra_data, user</order> > </decoder> > > 3. Copy the attached ms_dhcp_rules.xml file in the OSSEC server's /rules > directory. > > NOTE: Since the dhcpd rules were 12100 range, I incremented my rule IDs to > 12200 and up. Not sure if this is against policy since "user" signature IDs > were supposed to be in the 10K range? I left the rule severity at level 5 > until I better understand it and I wasn't completely sure what to put for > the group in the rules. I'll probably change that at some point. > > 4. Edit the ossec.conf file in your OSSEC server's /etc directory to include > the new rule set. > > <include>ms_dhcp_rules.xml</include> > > 5. Restart ossec and it should now be working. > > I've tested this extensively using the ossec-logtest utility and as far as I > can tell, it is working pretty well. > > Oh, I've also modified the WUI so I can choose to filter out DHCP messages > only. Edit the ossec_formats.php file in the wui/lib/ folder. You want to > modify the "Microsoft" array to look like this. Not sure how this format is > going to come out after going through email and such, so I'll attach this > email as a .txt file too. > > "Microsoft" => array( > "Microsoft (all)" => "windows|msftp|exchange|dhcp" > , "Windows" => "windows" > , "MS Ftp" => "msftp" > , "Exchange" => "exchange" > , "DHCP" => "dhcp" > ), > > Hope this is helpful for someone else out there. There have been times where > I've had to be able to prove who had a certain IP address at a given time > because they showed up in the proxy log for one reason or another. > > Thanks, > > phishphreek > > On Wed, Mar 25, 2009 at 2:36 PM, Daniel Cid <daniel....@gmail.com> wrote: > >> Hey, >> >> Yes, that sounds very interesting. Please share with us :) If you need >> any help, just ask. >> >> Thanks, >> >> -- >> Daniel B. Cid >> dcid ( at ) ossec.net >> >> On Tue, Mar 17, 2009 at 12:23 AM, <phishphr...@gmail.com> wrote: >> > >> > I've taken some time and created a basic decoder as well as some rules >> > for a Windows Server 2003 DHCP server. I've not yet had an opportunity >> > to test but I plan to as early as tomorrow morning. Would anyone be >> > interested in something like this? >> > >> > I thought this might be useful for tracking which host/machine had >> > which IP address at any given time. I currently use various open >> > source solutions for network mapping (switch ports, routers, etc.) but >> > I am in a m$ environment. I use m$ servers for DHCP and their logs >> > rotate weekly. I needed a better way to prove which machines had which >> > IP addresses at any given time. >> > >> > Disclaimer: I'm a n00b with this project. I've been using it in a lab >> > environment on and off for the past year or so to see what I might be >> > able to do with it. I think it's an awesome project with a lot of >> > potential. >> > >> > phishphreek >> > >> >