On Apr 28, 2014 6:44 PM, "Ash Windy" <[email protected]> wrote: > > hi > I tried many times to syscheck for windows files change but it can't good work. it can monitor any directory except of c:\windows\system32. > > test step: > 1. use agent.conf to monitor c:\windows > 2. enabled new files alert on ossec server > 3. restart both. waiting long time. make sure syscheck-pre was end. > 4. copy 1 file "client.key" to both directory c:\windows and c:\windows\system32 . > 5. monitor logs >
If it's in thr message I apologize, but what version of windows? Have you tried ossec 2.8? Are there file auditing options in windows to track attempted access? If so you could turn that on and see if there is anymore available info on why this is failing. > result. > 1. on windows agent > 2014/04/28 16:22:01 ossec-agent: DEBUG: Attempting to send message to server. > 2014/04/28 16:22:01 ossec-agent: DEBUG: Sending message to server: '96:33206:0:0:ed037ff967353b1ac2d5157f991d7a8e:28002c9f9bf270064e014795bc5f8e465b14533f C:\WINDOWS/client.keys' > > not c:\windows\system32\client.keys > 2. on ossec server > # tail -f /var/ossec/queue/syscheck/\(test-windows\)\ 192.168.93.150-\>syscheck > +++96:33206:0:0:ed037ff967353b1ac2d5157f991d7a8e:28002c9f9bf270064e014795bc5f8e465b14533f !1398723721 C:\WINDOWS/client.keys > > 3. alert log > Alert 1398723721.1352222: mail - local,syslog,syscheck,\n2014 Apr 28 15:22:01 (test-windows) 192.168.93.150->syscheck\nRule: 554 (level 10) -> 'File added to the system.'\nNew file 'C:\\WINDOWS/client.keys' added to the file system. > same result there are not system32 > > just above one log. > > everybody know why? > > thanks!! > > following is my configure > ======== > <agent_config os="Windows"> > > <localfile> > <location>Application</location> > <log_format>eventlog</log_format> > </localfile> > > <localfile> > <location>Security</location> > <log_format>eventlog</log_format> > </localfile> > > <localfile> > <location>System</location> > <log_format>eventlog</log_format> > </localfile> > > > <!-- Rootcheck - Policy monitor config --> > <rootcheck> > <windows_audit>./shared/win_audit_rcl.txt</windows_audit> > <windows_apps>./shared/win_applications_rcl.txt</windows_apps> > <windows_malware>./shared/win_malware_rcl.txt</windows_malware> > </rootcheck> > > > <!-- Syscheck - Integrity Checking config. --> > <syscheck> > <frequency>120</frequency> > <directories check_all="yes">C:\WINDOWS</directories> > > <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$</ignore> > <!-- Windows registry entries to monitor. --> > <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry> > > > <!-- Windows registry entries to ignore. --> > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Profi leList</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Prefetcher</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Interface</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\TypeLib</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\MIME</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Software</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\CLSID</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Watchdog</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaCategories</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\hivelist</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceCurrent</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Performance</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient</registry_ignore> > <registry_ignore type="sregex">\Enum$</registry_ignore> > > </syscheck> > > </agent_config> > > ===== server ossec.conf ========= > # cat ../etc/ossec.conf > <ossec_config> > <global> > <email_notification>yes</email_notification> > <email_to>[email protected]</email_to> > <smtp_server>127.0.0.1</smtp_server> > <email_from>[email protected]</email_from> > </global> > > <rules> > <include>rules_config.xml</include> > <include>pam_rules.xml</include> > <include>sshd_rules.xml</include> > <include>telnetd_rules.xml</include> > <include>syslog_rules.xml</include> > <include>arpwatch_rules.xml</include> > <include>symantec-av_rules.xml</include> > <include>symantec-ws_rules.xml</include> > <include>pix_rules.xml</include> > <include>named_rules.xml</include> > <include>smbd_rules.xml</include> > <include>vsftpd_rules.xml</include> > <include>pure-ftpd_rules.xml</include> > <include>proftpd_rules.xml</include> > <include>ms_ftpd_rules.xml</include> > <include>ftpd_rules.xml</include> > <include>hordeimp_rules.xml</include> > <include>roundcube_rules.xml</include> > <include>wordpress_rules.xml</include> > <include>cimserver_rules.xml</include> > <include>vpopmail_rules.xml</include> > <include>vmpop3d_rules.xml</include> > <include>courier_rules.xml</include> > <include>web_rules.xml</include> > <include>web_appsec_rules.xml</include> > <include>apache_rules.xml</include> > <include>nginx_rules.xml</include> > <include>php_rules.xml</include> > <include>mysql_rules.xml</include> > <include>postgresql_rules.xml</include> > <include>ids_rules.xml</include> > <include>squid_rules.xml</include> > <include>firewall_rules.xml</include> > <include>cisco-ios_rules.xml</include> > <include>netscreenfw_rules.xml</include> > <include>sonicwall_rules.xml</include> > <include>postfix_rules.xml</include> > <include>sendmail_rules.xml</include> > <include>imapd_rules.xml</include> > <include>mailscanner_rules.xml</include> > <include>dovecot_rules.xml</include> > <include>ms-exchange_rules.xml</include> > <include>racoon_rules.xml</include> > <include>vpn_concentrator_rules.xml</include> > <include>spamd_rules.xml</include> > <include>msauth_rules.xml</include> > <include>mcafee_av_rules.xml</include> > <include>trend-osce_rules.xml</include> > <include>ms-se_rules.xml</include> > <!-- <include>policy_rules.xml</include> --> > <include>zeus_rules.xml</include> > <include>solaris_bsm_rules.xml</include> > <include>vmware_rules.xml</include> > <include>ms_dhcp_rules.xml</include> > <include>asterisk_rules.xml</include> > <include>ossec_rules.xml</include> > <include>attack_rules.xml</include> > <include>openbsd_rules.xml</include> > <include>clam_av_rules.xml</include> > <include>bro-ids_rules.xml</include> > <include>dropbear_rules.xml</include> > <include>local_rules.xml</include> > </rules> > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>300</frequency> > > <alert_new_files>yes</alert_new_files> > > <!-- Directories to check (perform all possible verifications) --> > <directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories realtime="yes" check_all="yes">/bin,/sbin</directories> > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > </syscheck> > > <rootcheck> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> > <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> > <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> > <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> > </rootcheck> > > <global> > <white_list>127.0.0.1</white_list> > <white_list>^localhost.localdomain$</white_list> > <white_list>192.168.93.2</white_list> > </global> > > <remote> > <connection>secure</connection> > </remote> > > <alerts> > <log_alert_level>1</log_alert_level> > <email_alert_level>7</email_alert_level> > </alerts> > > <command> > <name>host-deny</name> > <executable>host-deny.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <command> > <name>firewall-drop</name> > <executable>firewall-drop.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <command> > <name>disable-account</name> > <executable>disable-account.sh</executable> > <expect>user</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <command> > <name>restart-ossec</name> > <executable>restart-ossec.sh</executable> > <expect></expect> > </command> > > > <command> > <name>route-null</name> > <executable>route-null.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <!-- Files to monitor (localfiles) --> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/messages</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/secure</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/maillog</location> > </localfile> > > <localfile> > <log_format>apache</log_format> > <location>/var/log/httpd/error_log</location> > </localfile> > > <localfile> > <log_format>apache</log_format> > <location>/var/log/httpd/access_log</location> > </localfile> > > <localfile> > <log_format>command</log_format> > <command>df -h</command> > </localfile> > > <localfile> > <log_format>full_command</log_format> > <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command> > </localfile> > > <localfile> > <log_format>full_command</log_format> > <command>last -n 5</command> > </localfile> > </ossec_config> > > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
