[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: OSSEC-- File integrity check??
Can anybody please respond with a working config which is reporting
new files?
I tried everyting in can.I am lost.Help Help please.
On Aug 3, 9:30 am, Robert5156 <gidituri_ra...@xxxxxxxxxxx> wrote:
> Daniel,
> Thank you for responding and for the OSSEC software. I am new to OSSEC
> and i am trying to learn this software to replace our existing
> tripwire.
> I did restart the server and xp client agents and also rebooted both
> the systems.
> I increased the frequency from 600 to 7200sec which is enough time to
> scan windows directory.Still no luck.I am running ver 1.2
> Below are my updated ossec.conf files of server and xp client.The
> ossec.log file says that it is monitoring the windows directory.But
> ossec is only reporting files which i modified the content for.It is
> still not reporting new files added.Help.
> My config files are the default files with the addition of these 2
> lines of code
> <alert_new_files>yes</alert_new_files>
> <auto_ignore>no</auto_ignore>
>
> Is there anything wrong with the above code or the loction i declared
> them or the sequence to use inside the ossec.conf file.
>
> _____XP CLIENT OSSEC.CONF FILE______________________________
>
> <!-- Agent Example Configuration -->
>
> <!-- First, change the server-ip to the IP of your OSSEC HIDS server.
> -->
>
> <!-- Second, add any extra file that you may want to monitor. -->
>
> <ossec_config>
> <client>
> <!-- IP address of the Ossec HIDS server -->
> <server-ip>SERVER IP</server-ip>
> </client>
>
> <!-- One entry for each file to monitor -->
> <localfile>
> <location>Application</location>
> <log_format>eventlog</log_format>
> </localfile>
>
> <localfile>
> <location>Security</location>
> <log_format>eventlog</log_format>
> </localfile>
>
> <localfile>
> <location>System</location>
> <log_format>eventlog</log_format>
> </localfile>
> </ossec_config>
>
> <!-- Updated syscheck config -->
>
> <ossec_config>
>
> <syscheck>
>
> <frequency>7200</frequency>
> <alert_new_files>yes</alert_new_files>
> <directories check_all="yes">C:\windows</directories>
>
> <ignore>C:\WINDOWS/System32/LogFiles</ignore>
>
> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
>
> <ignore>C:\WINDOWS/Prefetch</ignore>
>
> <ignore>C:\WINDOWS/Debug</ignore>
>
> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
>
> <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
>
> <ignore>C:\WINDOWS/Temp</ignore>
>
> <ignore>C:\WINDOWS/SchedLgU.Txt</ignore>
>
> <ignore>C:\WINDOWS/system32/config</ignore>
>
> <ignore>C:\WINDOWS/system32/CatRoot</ignore>
>
> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
>
> <ignore>C:\WINDOWS/LastGood.Tmp</ignore>
>
> <ignore>C:\WINDOWS/LastGood</ignore>
>
> <ignore>C:\WINDOWS/Help</ignore>
>
> <ignore>C:\WINDOWS/Fonts</ignore>
>
> <ignore>C:\WINDOWS/PCHEALTH</ignore>
>
> <ignore>C:\WINDOWS/system32/dllcache</ignore>
>
> <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$</ignore>
>
> </syscheck>
>
> </ossec_config>
>
> <!-- Syscheck registry config -->
>
> <ossec_config>
>
> <syscheck>
>
> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes</
> windows_registry>
>
> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft</
> windows_registry>
>
> <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</
> windows_registry>
>
> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
> \Control</windows_registry>
>
> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
> \Services</windows_registry>
>
> <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
>
> </syscheck>
>
> </ossec_config>
>
> <!-- Syscheck registry ignored entries (too big or change too often) --
>
>
>
> <ossec_config>
>
> <syscheck>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
> \CurrentVersion\Installer\UserData</registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
> \CurrentVersion\Group Policy\State</registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
> \CurrentVersion\WindowsUpdate</registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
> \CurrentVersion\Internet Settings\Cache</registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography
> \RNG</registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth
> \PchSvc</registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Dfrg</
> registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM</
> registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc</
> registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\DirectDraw</
> registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Direct3D</
> registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\COM3</
> registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
> \CurrentVersion\ProfileList</registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
> \CurrentVersion\Prefetcher</registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Interface</
> registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\TypeLib</
> registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\MIME</
> registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Software</
> registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\CLSID</
> registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</
> registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account
> \Users</registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
> \Control\DeviceClasses</registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
> \Control\Watchdog</registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
> \Control\MediaCategories</registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
> \Control\Windows</registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
> \Control\hivelist</registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
> \Control\ServiceCurrent</registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
> \Control\Print</registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
> \Control\Session Manager</registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
> \Services\Eventlog</registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
> \Services\RemoteAccess\Performance</registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
> \Services\W32Time\TimeProviders\NtpClient</registry_ignore>
>
> <registry_ignore type="sregex">\Enum$</registry_ignore>
>
> </syscheck>
>
> </ossec_config>
>
> _______________END OF CLIENT CONFIG FILE_____________
>
> _________________Contents of Server ossec.conf
> file______________________
>
> <ossec_config>
> <global>
> <email_notification>yes</email_notification>
> <email_to>email address</email_to>
> <smtp_server>server name</smtp_server>
> <email_from>ossecm@servername</email_from>
> </global>
>
> <rules>
> <include>rules_config.xml</include>
> <include>pam_rules.xml</include>
> <include>sshd_rules.xml</include>
> <include>telnetd_rules.xml</include>
> <include>syslog_rules.xml</include>
> <include>arpwatch_rules.xml</include>
> <include>symantec-av_rules.xml</include>
> <include>pix_rules.xml</include>
> <include>named_rules.xml</include>
> <include>smbd_rules.xml</include>
> <include>vsftpd_rules.xml</include>
> <include>pure-ftpd_rules.xml</include>
> <include>proftpd_rules.xml</include>
> <include>ms_ftpd_rules.xml</include>
> <include>hordeimp_rules.xml</include>
> <include>vpopmail_rules.xml</include>
> <include>web_rules.xml</include>
> <include>apache_rules.xml</include>
> <include>ids_rules.xml</include>
> <include>squid_rules.xml</include>
> <include>firewall_rules.xml</include>
> <include>netscreenfw_rules.xml</include>
> <include>postfix_rules.xml</include>
> <include>sendmail_rules.xml</include>
> <include>imapd_rules.xml</include>
> <include>mailscanner_rules.xml</include>
> <include>ms-exchange_rules.xml</include>
> <include>racoon_rules.xml</include>
> <include>vpn_concentrator_rules.xml</include>
> <include>spamd_rules.xml</include>
> <include>msauth_rules.xml</include>
> <!-- <include>policy_rules.xml</include> -->
> <include>attack_rules.xml</include>
> <include>zeus_rules.xml</include>
> <include>ossec_rules.xml</include>
> <include>local_rules.xml</include>
> </rules>
>
> <syscheck>
> <!-- Frequency that syscheck is executed - default to every 6
> hours -->
> <frequency>7200</frequency>
>
> <!-- Directories to check (perform all possible verifications) --
>
> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
> <directories check_all="yes">/bin,/sbin</directories>
> <alert_new_files>yes</alert_new_files>
> <auto_ignore>no</auto_ignore>
>
> <!-- Files/directories to ignore -->
> <ignore>/etc/mtab</ignore>
> <ignore>/etc/mnttab</ignore>
> <ignore>/etc/hosts.deny</ignore>
> <ignore>/etc/mail/statistics</ignore>
> <ignore>/etc/random-seed</ignore>
> <ignore>/etc/adjtime</ignore>
> <ignore>/etc/httpd/logs</ignore>
> <ignore>/etc/utmpx</ignore>
> <ignore>/etc/wtmpx</ignore>
> <ignore>/etc/cups/certs</ignore>
>
> <!-- Windows files to ignore -->
> <ignore>C:\WINDOWS/System32/LogFiles</ignore>
> <ignore>C:\WINDOWS/Debug</ignore>
> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
> <ignore>C:\WINDOWS/iis6.log</ignore>
> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
> <ignore>C:\WINDOWS/Prefetch</ignore>
> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
> <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
> <ignore>C:\WINDOWS/Temp</ignore>
> <ignore>C:\WINDOWS/system32/config</ignore>
> <ignore>C:\WINDOWS/system32/spool</ignore>
> ...
>
> read more »
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.