Hi Brent,
I appreciate the response, and it seems like the way forward for the
Registry Monitoring portion. I will test it out, and let you know how it
works. I understand it is going to generate a lot of stuff, but I am just
testing it right now, and need to figure out a few things, and it will
help. Once full blown implementation is upon us, I will adjust as needed.
As for the Auditing portion, I like the idea, but not sure where to turn on
that function. Just so you are aware, I am running OSSEC OVF against
Windows hosts currently.
Could I do something like this:
<syscheck>
<directories check_all="yes">C:,D:</directories>
</syscheck>
Or, are you talking about another feature I have yet to stumble across yet?
I also am not sure, if this is the correct syntax, or if I need to put in
special characters like you would for something like a PCRE rule or
something.
Thanks again for the help, I really appreciate it.
Justin
On Friday, May 15, 2015 at 12:20:51 PM UTC-4, Brent Morris wrote:
>
> You'll want to test this yourself....
>
> But you can manage what files are monitored and what registry entries are
> monitored in the host's config file for the Syscheck. Run the Agent Manger
> on the host and go to view > config. Then you can just change the
> configuration file and save it, restart the agent and wait for results.
>
> It seems like it would be possible to put a rule for alerts to changes to
> HKLM\System. But quite frankly, you're going to be inundated with many
> alerts that may not be valuable. I've seen evidence of this when
> performing system comparisons for MSI creation of before/after an
> installation. Windows makes lots of tiny changes to the registry and the
> file system, even when it's idle.
>
> As for file system monitoring. I think you would be better served by
> turning on auditing and applying an audit policy to the file system. Set
> the server to "log all" and then only pull alerts on sensitive areas of
> your computer. You may find historical value in archiving all the changes
> to the OSSEC system for future review....
>
> You might also check out Josh Bower's Sysmon 2.0 integration with OSSEC.
> This can help you monitor executable processes on your windows system....
> good stuff!
>
>
>
> On Friday, May 15, 2015 at 5:15:13 AM UTC-7, Justin Hazard wrote:
>>
>> Hey Everyone,
>>
>> Huge fan of OSSEC, just got my first implementation up and operational.
>> I have a few rules that I want to right, just for testing sake.
>>
>> What we are looking to do, is to write two separate rules that achieve
>> similar results, and more specifically we want to know when any change is
>> created to the registry, or when any file is created/deleted on the host.
>>
>> I was looking at what is being monitored currently, and wondering if I
>> put a rule in place that says notify me when "HKLM\System" changes, ALERT.
>>
>> Is this possible?
>>
>> I know it seems like a lot of information that would be rolling in, but
>> we are just trying to see all of what we can do with OSSEC.
>>
>> Please let me know if you can assist.
>>
>> V/R,
>>
>> Justin
>>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
