Hi, OSSEC has the capability to detect running processes as well as look for existing registry keys or folders present on the system, you could use that to detect the rogue software.
Example of getting running processes in Windows and trigger an alert when needed (using localfiles / logcollector / remote_commands): http://santi-bassett.blogspot.com.es/2015/08/how-to-monitor-running-processes-with-ossec.html Detecting present folder / executable (we have different ways, in this case, using Rootcheck): https://github.com/wazuh/wazuh-ruleset/blob/master/rootchecks/win_applications_rcl.txt#L59 Regards, Pedro Sanchez. On Tue, May 16, 2017 at 6:30 PM, 'ian diddams' via ossec-list < ossec-list@googlegroups.com> wrote: > Apologies in advance if this is a FAQ - Ive googled a bit but can;t see > anything obvious returned. > > Ive been asked to find out of OSSEC HIDS (which we use already for other > monitoring) can be used on linux variations (Centos mainly) to spot "rogue > software". Now there's a ambiguous description top start with and I'm > trying to ascertain exactly what "rogue software" really means form those > that asked me to investigate this! > > In its widest description I suppose it could be something like taking a > baseline of running processes, and reflecting that against future process > lists, and alerting for anything running that isn;t in the baseline. Does > OSSEC HIDS provide any such or similar facility? > > cheers > > ian > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
