Re: [ossec-list] ossec 2.7.1 can not integrity-check windows for system32 directory

[Ash Windy]

i test these problems again.
important issues following:
1. upload some files to two folders but just detected one.
2. upload different files to different folders at same time but just 
detected one.

I used procexp.exe and procmon.exe to monitor files access.


   1. testing environment 

OS: windows 2003 R2

OSSEC version: 2.8 bate1

server configure for syscheck(already add new file alert in local_rules.xml)

===========ossec.conf======================

  <syscheck>

    <!-- Frequency that syscheck is executed - default to every 22 hours -->

    <frequency>79200</frequency>

    <alert_new_files>yes</alert_new_files>

    <auto_ignore>no</auto_ignore>

    <!-- Directories to check  (perform all possible verifications) -->

    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>

    <directories check_all="yes">/bin,/sbin</directories>

    <!-- Files/directories to ignore -->

    <ignore>/etc/mtab</ignore>

    <ignore>/etc/mnttab</ignore>

    <ignore>/etc/hosts.deny</ignore>

    <ignore>/etc/mail/statistics</ignore>

    <ignore>/etc/random-seed</ignore>

    <ignore>/etc/adjtime</ignore>

    <ignore>/etc/httpd/logs</ignore>

    <ignore>/etc/utmpx</ignore>

    <ignore>/etc/wtmpx</ignore>

    <ignore>/etc/cups/certs</ignore>

    <ignore>/etc/dumpdates</ignore>

    <ignore>/etc/svc/volatile</ignore>

  </syscheck>

==================================

 

agent configure for syscheck:

============agent.conf======================

  <syscheck>

    <frequency>600</frequency>

    <disabled>no</disabled>  

    <directories check_all="yes" 
report_changes="yes">c:\autoexec.bat</directories>

    <directories check_all="yes">c:\config.sys</directories>

    <directories check_all="yes" realtime="yes">%WINDIR%</directories>

    <ignore>%WINDIR%/System32/LogFiles</ignore>

    <ignore>%WINDIR%/system32/wbem/Logs</ignore>

    <ignore>%WINDIR%/Prefetch</ignore>

    <ignore>%WINDIR%/Debug</ignore>

    <ignore>%WINDIR%/PCHEALTH/HELPCTR/DataColl</ignore>

    <ignore>%WINDIR%/SoftwareDistribution</ignore>

    <ignore>%WINDIR%/Temp</ignore>

    <ignore>%WINDIR%/SchedLgU.Txt</ignore>

    <ignore>%WINDIR%/system32/config</ignore>

    <ignore>%WINDIR%/system32/CatRoot</ignore>

    <ignore>%WINDIR%/system32/wbem/Repository</ignore>

    <ignore>%WINDIR%/LastGood.Tmp</ignore>

    <ignore>%WINDIR%/LastGood</ignore>

    <ignore>%WINDIR%/Help</ignore>

    <ignore>%WINDIR%/Fonts</ignore>

    <ignore>%WINDIR%/PCHEALTH</ignore>

    <ignore>%WINDIR%/system32/dllcache</ignore>

    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$</ignore>

    <!-- Windows registry entries to monitor.-->

    <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>

    
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control</windows_registry>

    
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>

    
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session 
Manager\KnownDLLs</windows_registry>

    
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>

    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows 
NT\CurrentVersion</windows_registry>

    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion</windows_registry>

    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>

    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>

    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>

    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>

    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows 
NT\CurrentVersion\Windows</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows 
NT\CurrentVersion\Winlogon</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active 
Setup\Installed Components</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet 
Explorer</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes</windows_registry>

    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>

    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>

    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>

    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>

    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>

    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>

    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>

    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>

    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>

    <!-- Windows registry entries to ignore. -->

    
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData</registry_ignore>

    
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group
 
Policy\State</registry_ignore>

    
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate</registry_ignore>

    
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
 
Settings\Cache</registry_ignore>

    <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows 
NT\CurrentVersion\Profi leList</registry_ignore>

    <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows 
NT\CurrentVersion\Prefetcher</registry_ignore>

    
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Interface</registry_ignore>

    
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\TypeLib</registry_ignore>

    
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\MIME</registry_ignore>

    
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Software</registry_ignore>

    
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\CLSID</registry_ignore>

    
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>

    
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>

    
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses</registry_ignore>

    
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Watchdog</registry_ignore>

    
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaCategories</registry_ignore>

    
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows</registry_ignore>

    
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\hivelist</registry_ignore>

    
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceCurrent</registry_ignore>

    
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print</registry_ignore>

    
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session 
Manager</registry_ignore>

    
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog</registry_ignore>

    
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Performance</registry_ignore>

    
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient</registry_ignore>

    <registry_ignore type="sregex">\Enum$</registry_ignore>

  </syscheck>   

==============================

 

enable debug for ossec server and agent clients.

open process explorer and process monitor on windows. define filter for 
monitoring ossec-agent.exe and new file(let me know who access new files)

 

   1. test step 1: upload a new file(RootkitRevealer.exe) to c:\windows 

ossec agent status: sleep that means it didn't start syscan yet. but i 
noticed it still try access "c:\Program 
files(x86)\ossec-agent\syscheck\.syscheck_run" but this file is not 
existing. 

monitor: First it didn't real time found file upload when i upload this new 
file. after waited 10 minutes. it can find a new file. 

ossec logs: it's ok

result: success

 

   1. deleted new file 

ossec agent status: sleeping

process monitor: can see ossec-agent.ext was accessed this file like this

 

[image: Machine generated alternative text: S: 22 ： 5B 4372325 S: 22 ： 5B 
4373 53 S: 22 ： 5B 4373225 S: 22 ： 43732 S: 22 ： 5B 4373325 S: 22 ： 5B 
43733 1 BBB 1 BBB 1 BBB 1 BBB 1 BBB 1 BBB 口 u ， Di C ， [ Fi 口 u asiclnf0L 口 
u ， 引 and 引 土 口 u ， 引 and 引 土 C:NWI N D CIWS NN M 34 C:NWI N D CIWS NN M 34 
T-:ÅWI N D CIWS NN M 34 C:NWI N D CIWS NN M 34 C:NWI N D CIWS NN M 34 靄 4 靄 
4 靄 4 靄 4 靄 4 靄 4 local local local local local local [ 丨 affic [ 丨 affic [ 
丨 affic [ 丨 affic [ 丨 affic [ 丨 affic S 刂 CCE S S S 刂 CCE S S S 刂 CCE S S S 
刂 CCE S S S 刂 CCE S S S 刂 CCE S S Filter: N M 34 靄 4 」 ocal_ [ 丨 fic 一 an 副 
& 1 ： N M 34 靄4 」 ocal_traffic Desired Access: Generic Read, Disposition: 日 
p 1 Options: Synchronol CreationTime: ， 1 201 4 5 ： 1 5 ： P 、 钔 
Last4ccessTime: ， 1 201 4 S:; 劑 oc 訕 on 引 ze: S 旧 4 32 EndOfFiIe: S 旧 3 乙 
5B NumberOfLinks: I, D 劑 oc 訕 on 引 ze: S 旧 4 32 EndOfFiIe: S 旧 3 乙 5B 
NumberOfLinks: I, D Control: FSCTL_ULIERY_ALLOCATED_RANGES 
FileSystemControlC:ÅWINDClWSÅNM34]

ossec logs: all the of is normal

result: succeed

 

   1. upload same files to two folders that one is c:\windows\system\ 
   another c:\windows\system32\ 

ossec agent status: sleeping. I try restart syscheck by agent_control but 
it's not work.

monitor:  It just found one file in c:\windows\system\ but can't find 
another in system32. because is it same file? is it a bug?

ossec logs: of course, just one alert by system directory. 

result: failed

 

   1.  deleted these three files in different directories. first it's 
   c:\windows\system32(not detected) and then c:\system and c:\windows 

ossec agent status: sleeping

monitor: real time find them except for c:\windows\system32(not detected).

result:  good?

 

   1. upload different files to different folders at same time. (one file 
   is used by above test another are new) 

monitor: old file can find by real time. two new files can findwhen syscan 
start

result: succeed

thanks 

Michael Starks於 2014年5月6日星期二UTC-7上午7時12分56秒寫道：
>
> On 2014-05-05 17:06, dan (ddp) wrote: 
>
> > Are there file auditing options in windows to track attempted access? 
> > If so you could turn that on and see if there is anymore available 
> > info on why this is failing. 
>
> Object auditing in Windows is horrendously chatty. I have seen it take 
> down a box when not implemented with a scalpel. I like to use Process 
> Monitor (formerly filemon and regmon) from Microsoft (formerly 
> sysinternals). Great tools. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.