On Sat, Nov 9, 2013 at 7:37 PM, Dũng Trần Văn <[email protected]> wrote: > Thanks for your answer. > But i want to know the changes on the Agent, example: Windows XP > Professional. When the service is installed, what are the changes? where are > they stored? Then the Agent will send information to Linux Server with > Ossec, and given the alerts. > I hope receive your helping. Thanks so much. >
Find out how the system would know about the installation (it's logged if an actual installation is done right?). Make sure that log is monitored. For everything else, use syscheck to alert you to new files. I guess you could find a way to dump the current services configuration (on, off, running, stopped, blah blah), and create a local command to run and compare the outputs. > Vào 00:02:31 UTC+7 Thứ bảy, ngày 09 tháng mười một năm 2013, Santiago > Bassett đã viết: >> >> Hi Dung, >> >> If this is for a Linux server I guess you would probably need to monitor >> the bin directories, using syscheck, for new files (/bin /sbin /usr/bin >> ...), so you can discover if a new service is installed. >> >> As well, if you know exactly what new files you are looking for, you may >> be able to create file system signatures, using rootcheck. You can find >> examples at /var/ossec/etc/shared/ >> >> I hope it helps, >> >> Santiago. >> >> >> >> >> On Fri, Nov 8, 2013 at 8:11 AM, Dũng Trần Văn <[email protected]> wrote: >>> >>> but i don't know when the service is install on a Agent, what are the >>> changes? >>> >>> Example: when The Teamviewer is install? what is the change, and where is >>> it stored ? >>> >>> Thanks for your helping so much. >>> >>>> If I understand this correctly, OSSEC should be capable of these tasks. >>>> >>>> > -- >>>> > >>>> > --- >>>> > You received this message because you are subscribed to the Google >>>> > Groups >>>> > "ossec-list" group. >>>> > To unsubscribe from this group and stop receiving emails from it, send >>>> > an >>>> > email to [email protected]. >>>> > For more options, visit https://groups.google.com/groups/opt_out. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
