Of course. I restart agent beforce new agent.conf has been downloaded in windows client.
I think you don't really clearly know the question. The windows agent can Syscheck but it can't monitor all the of new files created when I upload a file to two or more different folders. that is my question. BP9906於 2014年5月30日星期五UTC-7下午2時46分02秒寫道: > > Dumb question here, but are you letting syscheck run after the agent has > been restarted after the agent.conf has been downloaded? > > You can force syscheck to run from the ossec server using > ./bin/syscheck_control -r -u ### where ### = agent ID > > Then watch ossec.log on the agent show Syscheckd start .. do stuff... > finish .. realtime syscheck started. > > On Thursday, May 29, 2014 5:27:50 PM UTC-5, Ash Windy wrote: >> >> i test these problems again. >> important issues following: >> 1. upload some files to two folders but just detected one. >> 2. upload different files to different folders at same time but just >> detected one. >> >> I used procexp.exe and procmon.exe to monitor files access. >> >> >> 1. testing environment >> >> OS: windows 2003 R2 >> >> OSSEC version: 2.8 bate1 >> >> server configure for syscheck(already add new file alert in >> local_rules.xml) >> >> ===========ossec.conf====================== >> >> <syscheck> >> >> <!-- Frequency that syscheck is executed - default to every 22 hours >> --> >> >> <frequency>79200</frequency> >> >> <alert_new_files>yes</alert_new_files> >> >> <auto_ignore>no</auto_ignore> >> >> <!-- Directories to check (perform all possible verifications) --> >> >> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> >> <directories check_all="yes">/bin,/sbin</directories> >> >> <!-- Files/directories to ignore --> >> >> <ignore>/etc/mtab</ignore> >> >> <ignore>/etc/mnttab</ignore> >> >> <ignore>/etc/hosts.deny</ignore> >> >> <ignore>/etc/mail/statistics</ignore> >> >> <ignore>/etc/random-seed</ignore> >> >> <ignore>/etc/adjtime</ignore> >> >> <ignore>/etc/httpd/logs</ignore> >> >> <ignore>/etc/utmpx</ignore> >> >> <ignore>/etc/wtmpx</ignore> >> >> <ignore>/etc/cups/certs</ignore> >> >> <ignore>/etc/dumpdates</ignore> >> >> <ignore>/etc/svc/volatile</ignore> >> >> </syscheck> >> >> ================================== >> >> >> >> agent configure for syscheck: >> >> ============agent.conf====================== >> >> <syscheck> >> >> <frequency>600</frequency> >> >> <disabled>no</disabled> >> >> <directories check_all="yes" >> report_changes="yes">c:\autoexec.bat</directories> >> >> <directories check_all="yes">c:\config.sys</directories> >> >> <directories check_all="yes" realtime="yes">%WINDIR%</directories> >> >> <ignore>%WINDIR%/System32/LogFiles</ignore> >> >> <ignore>%WINDIR%/system32/wbem/Logs</ignore> >> >> <ignore>%WINDIR%/Prefetch</ignore> >> >> <ignore>%WINDIR%/Debug</ignore> >> >> <ignore>%WINDIR%/PCHEALTH/HELPCTR/DataColl</ignore> >> >> <ignore>%WINDIR%/SoftwareDistribution</ignore> >> >> <ignore>%WINDIR%/Temp</ignore> >> >> <ignore>%WINDIR%/SchedLgU.Txt</ignore> >> >> <ignore>%WINDIR%/system32/config</ignore> >> >> <ignore>%WINDIR%/system32/CatRoot</ignore> >> >> <ignore>%WINDIR%/system32/wbem/Repository</ignore> >> >> <ignore>%WINDIR%/LastGood.Tmp</ignore> >> >> <ignore>%WINDIR%/LastGood</ignore> >> >> <ignore>%WINDIR%/Help</ignore> >> >> <ignore>%WINDIR%/Fonts</ignore> >> >> <ignore>%WINDIR%/PCHEALTH</ignore> >> >> <ignore>%WINDIR%/system32/dllcache</ignore> >> >> <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$</ignore> >> >> <!-- Windows registry entries to monitor.--> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session >> >> Manager\KnownDLLs</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows >> NT\CurrentVersion</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows >> NT\CurrentVersion\Windows</windows_registry> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows >> NT\CurrentVersion\Winlogon</windows_registry> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active >> Setup\Installed Components</windows_registry> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet >> Explorer</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry> >> >> <!-- Windows registry entries to ignore. --> >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData</registry_ignore> >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group >> >> Policy\State</registry_ignore> >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate</registry_ignore> >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet >> >> Settings\Cache</registry_ignore> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows >> NT\CurrentVersion\Profi leList</registry_ignore> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows >> NT\CurrentVersion\Prefetcher</registry_ignore> >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Interface</registry_ignore> >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\TypeLib</registry_ignore> >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\MIME</registry_ignore> >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Software</registry_ignore> >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\CLSID</registry_ignore> >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore> >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore> >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses</registry_ignore> >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Watchdog</registry_ignore> >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaCategories</registry_ignore> >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows</registry_ignore> >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\hivelist</registry_ignore> >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceCurrent</registry_ignore> >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print</registry_ignore> >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session >> Manager</registry_ignore> >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog</registry_ignore> >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Performance</registry_ignore> >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient</registry_ignore> >> >> <registry_ignore type="sregex">\Enum$</registry_ignore> >> >> </syscheck> >> >> ============================== >> >> >> >> enable debug for ossec server and agent clients. >> >> open process explorer and process monitor on windows. define filter for >> monitoring ossec-agent.exe and new file(let me know who access new files) >> >> >> >> 1. test step 1: upload a new file(RootkitRevealer.exe) to c:\windows >> >> ossec agent status: sleep that means it didn't start syscan yet. but i >> noticed it still try access "c:\Program >> files(x86)\ossec-agent\syscheck\.syscheck_run" but this file is not >> existing. >> >> monitor: First it didn't real time found file upload when i upload this >> new file. after waited 10 minutes. it can find a new file. >> >> ossec logs: it's ok >> >> result: success >> >> >> >> 1. deleted new file >> >> ossec agent status: sleeping >> >> process monitor: can see ossec-agent.ext was accessed this file like this >> >> >> >> [image: Machine generated alternative text: S: 22 : 5B 4372325 S: 22 : 5B >> 4373 53 S: 22 : 5B 4373225 S: 22 : 43732 S: 22 : 5B 4373325 S: 22 : 5B >> 43733 1 BBB 1 BBB 1 BBB 1 BBB 1 BBB 1 BBB 口 u , Di C , [ Fi 口 u asiclnf0L 口 >> u , 引 and 引 土 口 u , 引 and 引 土 C:NWI N D CIWS NN M 34 C:NWI N D CIWS NN M 34 >> T-:ÅWI N D CIWS NN M 34 C:NWI N D CIWS NN M 34 C:NWI N D CIWS NN M 34 靄 4 靄 >> 4 靄 4 靄 4 靄 4 靄 4 local local local local local local [ 丨 affic [ 丨 affic [ >> 丨 affic [ 丨 affic [ 丨 affic [ 丨 affic S 刂 CCE S S S 刂 CCE S S S 刂 CCE S S S >> 刂 CCE S S S 刂 CCE S S S 刂 CCE S S Filter: N M 34 靄 4 」 ocal_ [ 丨 fic 一 an 副 >> & 1 : N M 34 靄4 」 ocal_traffic Desired Access: Generic Read, Disposition: 日 >> p 1 Options: Synchronol CreationTime: , 1 201 4 5 : 1 5 : P 、 钔 >> Last4ccessTime: , 1 201 4 S:; 劑 oc 訕 on 引 ze: S 旧 4 32 EndOfFiIe: S 旧 3 乙 >> 5B NumberOfLinks: I, D 劑 oc 訕 on 引 ze: S 旧 4 32 EndOfFiIe: S 旧 3 乙 5B >> NumberOfLinks: I, D Control: FSCTL_ULIERY_ALLOCATED_RANGES >> FileSystemControlC:ÅWINDClWSÅNM34] >> >> ossec logs: all the of is normal >> >> result: succeed >> >> >> >> 1. upload same files to two folders that one is c:\windows\system\ >> another c:\windows\system32\ >> >> ossec agent status: sleeping. I try restart syscheck by agent_control but >> it's not work. >> >> monitor: It just found one file in c:\windows\system\ but can't find >> another in system32. because is it same file? is it a bug? >> >> ossec logs: of course, just one alert by system directory. >> >> result: failed >> >> >> >> 1. deleted these three files in different directories. first it's >> c:\windows\system32(not detected) and then c:\system and c:\windows >> >> ossec agent status: sleeping >> >> monitor: real time find them except for c:\windows\system32(not detected). >> >> result: good? >> >> >> >> 1. upload different files to different folders at same time. (one >> file is used by above test another are new) >> >> monitor: old file can find by real time. two new files can findwhen >> syscan start >> >> result: succeed >> >> thanks >> >> Michael Starks於 2014年5月6日星期二UTC-7上午7時12分56秒寫道: >>> >>> On 2014-05-05 17:06, dan (ddp) wrote: >>> >>> > Are there file auditing options in windows to track attempted access? >>> > If so you could turn that on and see if there is anymore available >>> > info on why this is failing. >>> >>> Object auditing in Windows is horrendously chatty. I have seen it take >>> down a box when not implemented with a scalpel. I like to use Process >>> Monitor (formerly filemon and regmon) from Microsoft (formerly >>> sysinternals). Great tools. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
