Hey All, I have two questions. 1) Is it possible to use wildcards in win_malware_rcl.txt file?
I am trying to monitor the following registry key such that if "Taskman" has a value that begins with C:\RECYCLER and anything after that, it should be reported as a possible malware. But it is not working. r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion \Winlogon -> Taskman -> =:C:\RECYCLER*; 2) I changed some registry entries (in accordance with win_malware_rcl.txt) for testing the malware detection. I checked the ossec log at the agent and (in debug mode) found that the agent is sending the messages to the server (regarding detected malware), but they are not being reported at the WUI. The relevant information is as follows - OSSEC version 2.3 <!--Contents of /etc/ossec-init.conf--> DIRECTORY="/var/ossec" VERSION="v2.3" DATE="Fri Feb 19 10:36:08 EST 2010" TYPE="server" <!-- Contents of C:\Program Files\ossec-agent\ossec.log --> 2010/03/18 15:23:19 ossec-agent: DEBUG: Attempting to send message to server. 2010/03/18 15:23:19 ossec-agent: DEBUG: Sending message to server: 'Starting rootcheck scan.' 2010/03/18 15:23:19 ossec-agent: INFO: Starting rootcheck scan. 2010/03/18 15:23:19 ossec-agent: DEBUG: Starting on check_rc_winaudit 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking entry: 'Disabled Registry tools set'. 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking registry: 'HKCU \Software\Microsoft\Windows\CurrentVersion\Policies\System'. 2010/03/18 15:23:19 ossec-agent: DEBUG: Condition ANY. . . SOME MORE AUDIT CHECKS DONE HERE . 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking entry: 'Null sessions allowed'. 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking registry: 'HKLM\System \CurrentControlSet\Control\Lsa'. 2010/03/18 15:23:19 ossec-agent: DEBUG: found registry. 2010/03/18 15:23:19 ossec-agent: DEBUG: Condition ANY. 2010/03/18 15:23:19 ossec-agent: DEBUG: Attempting to send message to server. 2010/03/18 15:23:19 ossec-agent: DEBUG: Sending message to server: 'Windows Audit: Null sessions allowed.' 2010/03/18 15:23:19 ossec-agent: DEBUG: Starting on check_rc_winmalware 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking entry: 'Ginwui Backdoor'. 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking file: 'C:\WINDOWS \System32\zsyhide.dll'. 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY. 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking file: 'C:\WINDOWS \System32\zsydll.dll'. 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY. 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking registry: 'HKLM \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zsydll'. 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY. 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking registry: 'HKLM \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows'. 2010/03/18 15:23:20 ossec-agent: DEBUG: found registry. 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY. 2010/03/18 15:23:20 ossec-agent: DEBUG: Attempting to send message to server. 2010/03/18 15:23:20 ossec-agent: DEBUG: Sending message to server: 'Windows Malware: Ginwui Backdoor. Reference: http://www.iss.net/threats/ginwui.html .' . . SOME MORE CHECKS FOR MALWARE . 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking entry: 'Possible Mariposa Botnet'. 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking registry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion \Winlogon'. 2010/03/18 15:23:21 ossec-agent: DEBUG: found registry. 2010/03/18 15:23:21 ossec-agent: DEBUG: Condition ANY. 2010/03/18 15:23:21 ossec-agent: DEBUG: Attempting to send message to server. 2010/03/18 15:23:21 ossec-agent: DEBUG: Sending message to server: 'Windows Malware: Possible Mariposa Botnet.' 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking entry: 'Possible Malware Gozi'. 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking registry: 'HKLM\SYSTEM \CurrentControlSet\Control\Session Manager\AppCertDlls'. 2010/03/18 15:23:21 ossec-agent: DEBUG: found registry. 2010/03/18 15:23:21 ossec-agent: DEBUG: Condition ANY. 2010/03/18 15:23:21 ossec-agent: DEBUG: Attempting to send message to server. 2010/03/18 15:23:21 ossec-agent: DEBUG: Sending message to server: 'Windows Malware: Possible Malware Gozi.' 2010/03/18 15:23:22 ossec-agent: DEBUG: Starting on check_rc_winapps 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking entry: 'Chat/IM - MSN'. 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking registry: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSNMessenger'. 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking registry: 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSNMessenger'. 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking file: 'C:\Program Files\MSN Messenger'. 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking file: 'C:\Program Files\Messenger'. 2010/03/18 15:23:22 ossec-agent: DEBUG: found file. 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking process: 'r:msnmsgr.exe'. 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. 2010/03/18 15:23:22 ossec-agent: DEBUG: Attempting to send message to server. 2010/03/18 15:23:22 ossec-agent: DEBUG: Sending message to server: 'Application Found: Chat/IM - MSN. File: C:\Program Files\Messenger. Reference: http://www.msn.com .' 2010/03/18 15:23:23 ossec-agent: DEBUG: Going into check_rc_dev 2010/03/18 15:23:23 ossec-agent: DEBUG: Going into check_rc_sys 2010/03/18 15:23:23 ossec-agent: DEBUG: Starting on check_rc_sys 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_rc_pids 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_rc_ports 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_open_ports 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_rc_if 2010/03/18 15:23:25 ossec-agent: DEBUG: Completed with all checks. 2010/03/18 15:23:30 ossec-agent: DEBUG: Attempting to send message to server. 2010/03/18 15:23:30 ossec-agent: DEBUG: Sending message to server: 'Ending rootcheck scan.' 2010/03/18 15:23:30 ossec-agent: INFO: Ending rootcheck scan. 2010/03/18 15:23:30 ossec-agent: DEBUG: Leaving run_rk_check 2010/03/18 15:23:30 ossec-agent: INFO: Starting syscheck scan. <!-- Contents of /var/ossec/logs/ossec.log --> 2010/03/18 15:22:41 ossec-remoted(1403): ERROR: Incorrectly formated message from 'XXX.XXX.XXX.XXX'. 2010/03/18 15:23:01 ossec-remoted(1403): ERROR: Incorrectly formated message from 'XXX.XXX.XXX.XXX'. 2010/03/18 15:23:21 ossec-remoted(1403): ERROR: Incorrectly formated message from 'XXX.XXX.XXX.XXX'. 2010/03/18 15:23:41 ossec-remoted(1403): ERROR: Incorrectly formated message from 'XXX.XXX.XXX.XXX'. 2010/03/18 15:24:01 ossec-remoted(1403): ERROR: Incorrectly formated message from 'XXX.XXX.XXX.XXX'. The above messages refer to the same IP (which is another agent and not the Windows agent I am referring to here) <!-- OS Name --> Agent - Windows XP Pro SP3 Any help is appreciated. Vipul. To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
