On Thu, May 18, 2017 at 3:47 PM, Pedro Sanchez <pe...@wazuh.com> wrote: > Yes, it does. > Rootcheck works for Linux as well, we have different rootcheck policies: > https://github.com/wazuh/wazuh-ruleset/tree/master/rootchecks >
OSSEC has rootcheck as well. > Cheers, > Pedro. > > On Wed, May 17, 2017 at 11:16 AM, 'ian diddams' via ossec-list > <ossec-list@googlegroups.com> wrote: >> >> Thanks Pedro - just to check as per my OP, does it do this for LINUX >> systems also, aside from Windows? >> >> ian >> >> On Wednesday, 17 May 2017 09:40:44 UTC+1, Pedro Sanchez wrote: >>> >>> Hi, >>> >>> OSSEC has the capability to detect running processes as well as look for >>> existing registry keys or folders present on the system, you could use that >>> to detect the rogue software. >>> >>> Example of getting running processes in Windows and trigger an alert when >>> needed (using localfiles / logcollector / remote_commands): >>> http://santi-bassett.blogspot.com.es/2015/08/how-to-monitor-running-processes-with-ossec.html >>> Detecting present folder / executable (we have different ways, in this >>> case, using Rootcheck): >>> https://github.com/wazuh/wazuh-ruleset/blob/master/rootchecks/win_applications_rcl.txt#L59 >>> >>> Regards, >>> Pedro Sanchez. >>> >>> >>> >>> On Tue, May 16, 2017 at 6:30 PM, 'ian diddams' via ossec-list >>> <ossec...@googlegroups.com> wrote: >>>> >>>> Apologies in advance if this is a FAQ - Ive googled a bit but can;t see >>>> anything obvious returned. >>>> >>>> Ive been asked to find out of OSSEC HIDS (which we use already for other >>>> monitoring) can be used on linux variations (Centos mainly) to spot "rogue >>>> software". Now there's a ambiguous description top start with and I'm >>>> trying to ascertain exactly what "rogue software" really means form those >>>> that asked me to investigate this! >>>> >>>> In its widest description I suppose it could be something like taking a >>>> baseline of running processes, and reflecting that against future process >>>> lists, and alerting for anything running that isn;t in the baseline. Does >>>> OSSEC HIDS provide any such or similar facility? >>>> >>>> cheers >>>> >>>> ian >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ossec-list+...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>> >>> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.