On Sat, Mar 25, 2017 at 4:54 AM, <henry.williamsgr...@gmail.com> wrote: > Hello fellow googlers, > > > The GOAL: > > For every user on my windows OSSEC agent, generate OSSEC alert severity 10 > when new file added to > > C:\Users/*/%AppData%/Local/Temp directory > > Where star was supposed to be the wildcard place holder to instruct OSSEC to > mean ANY user > > > > The Attempt & RESULTS: > > > In an effort to get OSSEC to generate an alert upon new file created in > %AppData% I have conducted the following steps. > > http://ossec-docs.readthedocs.io/en/latest/faq/syscheck.html#why-aren-t-new-files-creating-an-alert > > Why aren’t new files creating an alert? > > By default OSSEC does not alert on new files. To enable this functionality, > <alert_new_files> must be set to yes inside the <syscheck> section of the > manager’s ossec.conf. Also, the rule to alert on new files (rule 554) is set > to level 0 by default. The alert level will need to be raised in order to > see the alert. Alerting on new files does not work in realtime, a full scan > will be necessary to detect them. > > Add the following to local_rules.xml: > > <rule id="554" level="10" overwrite="yes"> > > <category>ossec</category> > > <decoded_as>syscheck_new_entry</decoded_as> > > <description>File added to the system.</description> > > <group>syscheck,</group> > > </rule> > > The <alert_new_files> entry should look something like this: > > <syscheck> > > <frequency>7200</frequency> > > <alert_new_files>yes</alert_new_files> > > <directories check_all="yes">/etc,/bin,/sbin</directories> > > </syscheck> > > > > In my OSSEC environment, I have a CENTos (current build) host for my OSSEC > manager. I also have windows OS host for my OSSEC agent (agent id=001). To > test the agent.conf setup of OSSEC I have on the OSSEC Manger host two > configuration files, both the original ossec.conf file located @ directory > var/ossec/etc/ as well as the agent.conf file located @ directory > var/ossec/etc/shared. I have made the <alert_new_files> entry in both these > configuration files. As well as add rule id 554 to local_rules.xml as > depicted above from OSSEC documentation. > > > To confirm settings are correct I ran logtest without error. Additionally, I > preformed the following self-checks: > > > Confirmed level=”10” for rule id 554 in local_rules.xml AND > On OSSEC Manager inside the ossec.conf file that setting for alert threshold > was set to alert on level>=1 > Md5sum on Manager = on Agent copy of agent.conf > Reduced frequency to 60 for troubleshooting/testing create new file feature. > create new file in directory %AppData% ‘test.txt’ > > No immediate result, additionally let sit and wait for 24hrs to ensure > syscheck could run multiple times. > Result new file ‘test.txt’ was not alerted on. > > To arrive at this conclusion, I inspected the following results: > > nano /var/ossec/logs/alerts/alerts.log > > I can see .nix directories are firing for rule id 554. However, no %AppData% > windows file creation detected. > > /var/ossec/bin/agent_control -i 001 > /var/ossec/bin/agent_control -r -u 001 > /var/ossec/bin/syscheck_control -u 001 > > OUTPUT > ** Integrity check database updated. > > /var/ossec/bin/syscheck_control -i 001 > > OUTPUT > Integrity changes for agent 'WinBox (001) - 192.168.0.2': > ** No entries found. > > ls /var/ossec/queue/diff > > No entries for Windows agent > > nano /var/ossec/logs/alerts/alerts.log > > I am able to see entries for rule id 554 on .nix localhost /tmp test > efforts for 554. Other windows content is present such as authentication > logs and registry edits. Additionally,I can get C:\Temp new file creation to > detect but not any new file alerts for the %AppData%. > > ls /var/ossec/queue/syscheck/ > > I can see the text files I was testing with from C:\Temp but no %AppData% > content. > > > > From the above I gather that my test new file creations are being detected > and alerted on my localhost. However, the syntax or other issue appears to > be causing problems such that the %AppData% directory is not being properly > monitored by syscheck as was the case for the C:\Temp directory for example. > > > I am hoping for some guidance on how I go about testing the alert on new > file creation for windows OS %AppData% directory. Such as how to confirm > windows agent is detecting the new file created, and that the Master OSSEC > is receiving this event from the windows agent correctly, then Master OSSEC > is alerting on new file detection by rule 554 properly. > > The other threads discussing %AppData% indicate attention to syntax for > adding directory entry into the ossec.conf file is important step but do not > provide guidance into the proper syntax for such cases like wildcard use. > Please let me know if any additional details are required to assist with my > request. Any help or guidance is much appreciated. >
Set the frequency to something higher, 60 seconds is much too low. I think 300 is the bare minimum, but even that's a bit low. Restart the OSSEC processes on an affected Windows agent. Check the ossec.log to see if your desired directories are being monitored. Possibly change one of the affected agents to not use the wildcard, and instead use one user directory as a testbed. Also, if you turn on the logall option on on the OSSEC server you should be able to see the syscheck messages received from the agent in archives.log. > > Cheers, > > Henry > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
