Installed the snapshot on my ossec server, restarted the ossec service on the windows server that is running dhcp too, results in log from windows server:
2009/05/28 13:46:15 ossec-execd(1350): INFO: Active response disabled. Exiting. 2009/05/28 13:46:15 ossec-agent(1410): INFO: Reading authentication keys file. 2009/05/28 13:46:15 ossec-agent: INFO: Assigning counter for agent SERVERNAME: '219:6044'. 2009/05/28 13:46:15 ossec-agent: INFO: Assigning sender counter: 35:1350 2009/05/28 13:46:15 ossec-agent: INFO: Trying to connect to server (IPADDRESSREMOVED:1514). 2009/05/28 13:46:15 ossec-agent: Starting syscheckd thread. 2009/05/28 13:46:15 ossec-rootcheck: INFO: Started (pid: 3700). 2009/05/28 13:46:15 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies'. 2009/05/28 13:46:15 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion'. 2009/05/28 13:46:15 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion'. 2009/05/28 13:46:15 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'. 2009/05/28 13:46:15 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes'. 2009/05/28 13:46:15 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'. 2009/05/28 13:46:15 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. 2009/05/28 13:46:15 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security'. 2009/05/28 13:46:15 ossec-agent: INFO: Monitoring directory: 'C:\Windows/system32'. 2009/05/28 13:46:15 ossec-agent: INFO: Started (pid: 3700). 2009/05/28 13:46:16 ossec-agent(4102): INFO: Connected to the server (IPADDRESSREMOVED:1514). 2009/05/28 13:46:16 ossec-agent: INFO: System is Vista or Windows Server 2008. 2009/05/28 13:46:16 ossec-agent(1951): INFO: Analyzing event log: 'Application'. 2009/05/28 13:46:16 ossec-agent(1951): INFO: Analyzing event log: 'Security'. 2009/05/28 13:46:34 ossec-agent(1951): INFO: Analyzing event log: 'System'. 2009/05/28 13:46:34 ossec-agent(1952): INFO: Monitoring variable log file: 'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log'. 2009/05/28 13:46:34 ossec-agent(1103): ERROR: Unable to open file 'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log'. 2009/05/28 13:46:34 ossec-agent(1950): INFO: Analyzing file: 'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log'. 2009/05/28 13:46:34 ossec-agent: INFO: Started (pid: 3700). > > Hey, > > I included those on the latest snapshot. I did a few changes so I > would like you to take a look: > > -Modified the use of <match> to <id> > -Simplified the decoder to only extract the id, since we were not > using the other information > -Changed the ids to be in the 6300-6399 range (assigned now for MS DHCP) > -Changed the levels from some informative rules to 0 (like ip assigned, etc). > > Can you test? Anyone here using ms dhcp to try it out? > > Link: http://ossec.net/files/snapshots/ossec-hids-090528.tar.gz > > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Wed, May 13, 2009 at 1:01 AM, phish phreek <[email protected]> wrote: >> Here is the latest and *hopefully* final version. I've created three >> separate decoders for Windows DHCP server. One for Windows 2003 IPv4, one >> for Windows 2008 IPv4 and the last one for Windows 2008 IPv6. I'm not using >> IPv6, so I could only test a few log entries against the decoder. If someone >> is using 2K8 IPv6 and you can send me more logs, I'd be happy to test. Also, >> I'm pretty new to writing rules in regular expression. If you look at my >> decoders and think "WTF!", please let me know what I could do to make it >> better. ;) >> >> I've moved my decoders from decoder.xml to local_decoder.xml as was >> recommended on the mailing list. >> >> I've updated the ms_dhcp_rules.xml file to include 2 new rules from 2008 >> IPv4 as well as a separate section for 2008 IPv6 rules. I've changed them >> from the 12200/12300 range to 120200 for 2k3/2k8 IPv4 and 120300 for 2k8 >> IPv6. I also updated the alert levels to a little more reasonable level and >> I've changed the groups to match predefined groups when applicable. >> >> The decoders also fixed a "bug" when trying to filter out the MAC address or >> "extra data". In the last decoder I posted, it didn't always get it right. >> >> If you've followed my previous instructions, please remove the decoder from >> your OSSEC server's decoder.xml file and use the attached local_decoder.xml. >> If you're already using a local_decoder.xml file, then don't overwrite your >> copy with mine! Copy and paste the contents of mine into yours... Otherwise, >> the rest of the previous instructions still apply. >> >> I'm still working out some possible bugs with the OSSEC agent monitoring the >> Windows logs. When I told the agent to monitor >> c:\windows\system32\dhcp\*.log it stopped monitoring on Sunday at Midnight. >> I'm not sure if that was due to timestamps not being updated or not. I've >> since added an entry in the OSSEC agent's ossec.conf file for each day's log >> and we'll see if that works better. >> >> Will the dev team take notice of this on the list and decide if they want to >> include it in their project or do I need to send it elsewhere? >> >
