[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: OSSEC-- File integrity check??
Daniel,
Thank you for responding and for the OSSEC software. I am new to OSSEC
and i am trying to learn this software to replace our existing
tripwire.
I did restart the server and xp client agents and also rebooted both
the systems.
I increased the frequency from 600 to 7200sec which is enough time to
scan windows directory.Still no luck.I am running ver 1.2
Below are my updated ossec.conf files of server and xp client.The
ossec.log file says that it is monitoring the windows directory.But
ossec is only reporting files which i modified the content for.It is
still not reporting new files added.Help.
My config files are the default files with the addition of these 2
lines of code
<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>
Is there anything wrong with the above code or the loction i declared
them or the sequence to use inside the ossec.conf file.
_____XP CLIENT OSSEC.CONF FILE______________________________
<!-- Agent Example Configuration -->
<!-- First, change the server-ip to the IP of your OSSEC HIDS server.
-->
<!-- Second, add any extra file that you may want to monitor. -->
<ossec_config>
<client>
<!-- IP address of the Ossec HIDS server -->
<server-ip>SERVER IP</server-ip>
</client>
<!-- One entry for each file to monitor -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
</ossec_config>
<!-- Updated syscheck config -->
<ossec_config>
<syscheck>
<frequency>7200</frequency>
<alert_new_files>yes</alert_new_files>
<directories check_all="yes">C:\windows</directories>
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/SchedLgU.Txt</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/LastGood.Tmp</ignore>
<ignore>C:\WINDOWS/LastGood</ignore>
<ignore>C:\WINDOWS/Help</ignore>
<ignore>C:\WINDOWS/Fonts</ignore>
<ignore>C:\WINDOWS/PCHEALTH</ignore>
<ignore>C:\WINDOWS/system32/dllcache</ignore>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$</ignore>
</syscheck>
</ossec_config>
<!-- Syscheck registry config -->
<ossec_config>
<syscheck>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
</syscheck>
</ossec_config>
<!-- Syscheck registry ignored entries (too big or change too often) --
>
<ossec_config>
<syscheck>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Installer\UserData</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Group Policy\State</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\WindowsUpdate</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Internet Settings\Cache</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography
\RNG</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth
\PchSvc</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Dfrg</
registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM</
registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc</
registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\DirectDraw</
registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Direct3D</
registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\COM3</
registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\ProfileList</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Prefetcher</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Interface</
registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\TypeLib</
registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\MIME</
registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Software</
registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\CLSID</
registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</
registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account
\Users</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\DeviceClasses</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Watchdog</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\MediaCategories</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Windows</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\hivelist</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\ServiceCurrent</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Print</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Session Manager</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\Eventlog</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\RemoteAccess\Performance</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\W32Time\TimeProviders\NtpClient</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
</syscheck>
</ossec_config>
_______________END OF CLIENT CONFIG FILE_____________
_________________Contents of Server ossec.conf
file______________________
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>email address</email_to>
<smtp_server>server name</smtp_server>
<email_from>ossecm@servername</email_from>
</global>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>web_rules.xml</include>
<include>apache_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>attack_rules.xml</include>
<include>zeus_rules.xml</include>
<include>ossec_rules.xml</include>
<include>local_rules.xml</include>
</rules>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 6
hours -->
<frequency>7200</frequency>
<!-- Directories to check (perform all possible verifications) --
>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</
rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</
rootkit_trojans>
</rootcheck>
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
</global>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/error_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/access_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/etc/httpd/logs/access_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/etc/httpd/logs/error_log</location>
</localfile>
</ossec_config>
________________end of server ossec.conf file____________________
Would appreciate your help.
Thank you
Robert
On Aug 2, 8:08 pm, "Daniel Cid" <daniel....@xxxxxxxxx> wrote:
> Hi Robert,
>
> Did you restart the server after adding the
> "<alert_new_files>yes</alert_new_files>"
> entry? Also, take a look at this post that explains a bit more about
> the alert_new_files
> option:
>
> http://www.ossec.net/ossec-list/2007-May/msg00005.html
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 8/1/07, Robert5156 <gidituri_ra...@xxxxxxxxxxx> wrote:
>
>
>
> > I installed server on fedora and an agent on windows XP sp2 system.
> > Everything is working fine except when i test the file integrity
> > checking, it is not reporting any new files created.
> > It is reporting any content changes of existing files ,but not new
> > files. Can any one look at the config files and let me know what is
> > wrong.
>
> > Below is the ossec.conf file on the server and ossec.conf file
> > contents of XP client agent.
> > ______________________________Linux Server ossec.conf
> > file___________________
> > <ossec_config>
> > <ossec_config>
> > <global>
> > <email_notification>yes</email_notification>
> > <email_to>EMAIL</email_to>
> > <smtp_server>SERVER NAME</smtp_server>
> > <email_from>ossecm@SERVERNAME</email_from>
> > <integrity_checking>6</integrity_checking>
> > </global>
>
> > <rules>
> > <include>rules_config.xml</include>
> > <include>pam_rules.xml</include>
> > <include>sshd_rules.xml</include>
> > <include>telnetd_rules.xml</include>
> > <include>syslog_rules.xml</include>
> > <include>arpwatch_rules.xml</include>
> > <include>symantec-av_rules.xml</include>
> > <include>pix_rules.xml</include>
> > <include>named_rules.xml</include>
> > <include>smbd_rules.xml</include>
> > <include>vsftpd_rules.xml</include>
> > <include>pure-ftpd_rules.xml</include>
> > <include>proftpd_rules.xml</include>
> > <include>ms_ftpd_rules.xml</include>
> > <include>hordeimp_rules.xml</include>
> > <include>vpopmail_rules.xml</include>
> > <include>web_rules.xml</include>
> > <include>apache_rules.xml</include>
> > <include>ids_rules.xml</include>
> > <include>squid_rules.xml</include>
> > <include>firewall_rules.xml</include>
> > <include>netscreenfw_rules.xml</include>
> > <include>postfix_rules.xml</include>
> > <include>sendmail_rules.xml</include>
> > <include>imapd_rules.xml</include>
> > <include>mailscanner_rules.xml</include>
> > <include>ms-exchange_rules.xml</include>
> > <include>racoon_rules.xml</include>
> > <include>vpn_concentrator_rules.xml</include>
> > <include>spamd_rules.xml</include>
> > <include>msauth_rules.xml</include>
> > <!-- <include>policy_rules.xml</include> -->
> > <include>attack_rules.xml</include>
> > <include>zeus_rules.xml</include>
> > <include>ossec_rules.xml</include>
> > <include>local_rules.xml</include>
> > </rules>
>
> > <syscheck>
> > <!-- Frequency that syscheck is executed - default to every 6
> > hours -->
> > <frequency>600</frequency>
>
> > <!-- Directories to check (perform all possible verifications) --
>
> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
> > <directories check_all="yes">/bin,/sbin</directories>
> > <directories check_all="yes">C:\WINDOWS</directories>
> > <alert_new_files>yes</alert_new_files>
> > <auto_ignore>no</auto_ignore>
>
> > <!-- Files/directories to ignore -->
> > <ignore>/etc/mtab</ignore>
> > <ignore>/etc/mnttab</ignore>
> > <ignore>/etc/hosts.deny</ignore>
> > <ignore>/etc/mail/statistics</ignore>
> > <ignore>/etc/random-seed</ignore>
> > <ignore>/etc/adjtime</ignore>
> > <ignore>/etc/httpd/logs</ignore>
> > <ignore>/etc/utmpx</ignore>
> > <ignore>/etc/wtmpx</ignore>
> > <ignore>/etc/cups/certs</ignore>
>
> > <!-- Windows files to ignore -->
> > <ignore>C:\WINDOWS/System32/LogFiles</ignore>
> > <ignore>C:\WINDOWS/Debug</ignore>
> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
> > <ignore>C:\WINDOWS/iis6.log</ignore>
> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
> > <ignore>C:\WINDOWS/Prefetch</ignore>
> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
> > <ignore>C:\WINDOWS/Temp</ignore>
> > <ignore>C:\WINDOWS/system32/config</ignore>
> > <ignore>C:\WINDOWS/system32/spool</ignore>
> > <ignore>C:\WINDOWS/system32/CatRoot</ignore>
> > </syscheck>
>
> > <rootcheck>
> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</
> > rootkit_files>
> > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</
> > rootkit_trojans>
> > </rootcheck>
>
> > <alerts>
> > <log_alert_level>1</log_alert_level>
> > <email_alert_level>7</email_alert_level>
> > </alerts>
> > ________________________--END _________________________________
>
> > Below is the XP-client agent's ossec.conf file contents.
>
> > __________________________________XP_client config____________________
> > <ossec_config>
> > <client>
> > <!-- IP address of the Ossec HIDS server -->
> > <server-ip>serverIP</server-ip>
> > </client>
>
> > <!-- Updated syscheck config -->
> > <ossec_config>
> > <syscheck>
> > <frequency>600</frequency>
> > <alert_new_files>yes</alert_new_files>
> > <directories check_all="yes">C:\WINDOWS</directories>
> > <ignore>C:\WINDOWS/System32/LogFiles</ignore>
> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
> > <ignore>C:\WINDOWS/Prefetch</ignore>
> > <ignore>C:\WINDOWS/Debug</ignore>
> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
> > <ignore>C:\WINDOWS/Temp</ignore>
> > <ignore>C:\WINDOWS/SchedLgU.Txt</ignore>
> > <ignore>C:\WINDOWS/system32/config</ignore>
> > <ignore>C:\WINDOWS/system32/CatRoot</ignore>
> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
> > <ignore>C:\WINDOWS/LastGood.Tmp</ignore>
> > <ignore>C:\WINDOWS/LastGood</ignore>
> > <ignore>C:\WINDOWS/Help</ignore>
> > <ignore>C:\WINDOWS/Fonts</ignore>
> > <ignore>C:\WINDOWS/PCHEALTH</ignore>
> > <ignore>C:\WINDOWS/system32/dllcache</ignore>
> > <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$</ignore>
> > </syscheck>
> > </ossec_config>
> > _______________________END_______END_______
>
> > Any help is appreciated.
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.