Hi Vipul,

Yes, you can use wildcards, but you have to specify the "r:" before using it:

r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
\Winlogon -> Taskman -> r:C:\RECYCLER;


If the agent is sending the events properly to the manager, you have to check if
the rules are enabled for that event. Try enabling log_all to see if you get all
the alerts.


Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net



On Thu, Mar 18, 2010 at 5:57 PM, Vipul_Gupta <[email protected]> wrote:
> Hey All,
> I have two questions.
>
> 1) Is it possible to use wildcards in win_malware_rcl.txt file?
>
> I am trying to monitor the following registry key such that if
> "Taskman" has a value that begins with C:\RECYCLER and anything after
> that, it should be reported as a possible malware. But it is not
> working.
>
> r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
> \Winlogon -> Taskman -> =:C:\RECYCLER*;
>
>
> 2) I changed some registry entries (in accordance with
> win_malware_rcl.txt) for testing the malware detection. I checked the
> ossec log at the agent and (in debug mode) found that the agent is
> sending the messages to the server (regarding detected malware), but
> they are not being reported at the WUI.
>
>
>
>
> The relevant information is as follows -
>
> OSSEC version 2.3
>
>
>
> <!--Contents of /etc/ossec-init.conf-->
>
> DIRECTORY="/var/ossec"
> VERSION="v2.3"
> DATE="Fri Feb 19 10:36:08 EST 2010"
> TYPE="server"
>
>
>
>
> <!-- Contents of C:\Program Files\ossec-agent\ossec.log -->
>
> 2010/03/18 15:23:19 ossec-agent: DEBUG: Attempting to send message to
> server.
> 2010/03/18 15:23:19 ossec-agent: DEBUG: Sending message to server:
> 'Starting rootcheck scan.'
> 2010/03/18 15:23:19 ossec-agent: INFO: Starting rootcheck scan.
> 2010/03/18 15:23:19 ossec-agent: DEBUG: Starting on check_rc_winaudit
> 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking entry: 'Disabled
> Registry tools set'.
> 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking registry: 'HKCU
> \Software\Microsoft\Windows\CurrentVersion\Policies\System'.
> 2010/03/18 15:23:19 ossec-agent: DEBUG: Condition ANY.
> .
> .       SOME MORE AUDIT CHECKS DONE HERE
> .
> 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking entry: 'Null sessions
> allowed'.
> 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking registry: 'HKLM\System
> \CurrentControlSet\Control\Lsa'.
> 2010/03/18 15:23:19 ossec-agent: DEBUG: found registry.
> 2010/03/18 15:23:19 ossec-agent: DEBUG: Condition ANY.
> 2010/03/18 15:23:19 ossec-agent: DEBUG: Attempting to send message to
> server.
> 2010/03/18 15:23:19 ossec-agent: DEBUG: Sending message to server:
> 'Windows Audit: Null sessions allowed.'
>
> 2010/03/18 15:23:19 ossec-agent: DEBUG: Starting on
> check_rc_winmalware
> 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking entry: 'Ginwui
> Backdoor'.
> 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking file: 'C:\WINDOWS
> \System32\zsyhide.dll'.
> 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY.
> 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking file: 'C:\WINDOWS
> \System32\zsydll.dll'.
> 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY.
> 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking registry: 'HKLM
> \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zsydll'.
> 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY.
> 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking registry: 'HKLM
> \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows'.
> 2010/03/18 15:23:20 ossec-agent: DEBUG: found registry.
> 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY.
> 2010/03/18 15:23:20 ossec-agent: DEBUG: Attempting to send message to
> server.
> 2010/03/18 15:23:20 ossec-agent: DEBUG: Sending message to server:
> 'Windows Malware: Ginwui Backdoor. Reference: 
> http://www.iss.net/threats/ginwui.html
> .'
> .
> . SOME MORE CHECKS FOR MALWARE
> .
> 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking entry: 'Possible
> Mariposa Botnet'.
> 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking registry:
> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
> \Winlogon'.
> 2010/03/18 15:23:21 ossec-agent: DEBUG: found registry.
> 2010/03/18 15:23:21 ossec-agent: DEBUG: Condition ANY.
> 2010/03/18 15:23:21 ossec-agent: DEBUG: Attempting to send message to
> server.
> 2010/03/18 15:23:21 ossec-agent: DEBUG: Sending message to server:
> 'Windows Malware: Possible Mariposa Botnet.'
> 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking entry: 'Possible
> Malware Gozi'.
> 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking registry: 'HKLM\SYSTEM
> \CurrentControlSet\Control\Session Manager\AppCertDlls'.
> 2010/03/18 15:23:21 ossec-agent: DEBUG: found registry.
> 2010/03/18 15:23:21 ossec-agent: DEBUG: Condition ANY.
> 2010/03/18 15:23:21 ossec-agent: DEBUG: Attempting to send message to
> server.
> 2010/03/18 15:23:21 ossec-agent: DEBUG: Sending message to server:
> 'Windows Malware: Possible Malware Gozi.'
>
> 2010/03/18 15:23:22 ossec-agent: DEBUG: Starting on check_rc_winapps
> 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking entry: 'Chat/IM -
> MSN'.
> 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking registry:
> 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSNMessenger'.
> 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY.
> 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking registry:
> 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSNMessenger'.
> 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY.
> 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking file: 'C:\Program
> Files\MSN Messenger'.
> 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY.
> 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking file: 'C:\Program
> Files\Messenger'.
> 2010/03/18 15:23:22 ossec-agent: DEBUG: found file.
> 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY.
> 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking process:
> 'r:msnmsgr.exe'.
> 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY.
> 2010/03/18 15:23:22 ossec-agent: DEBUG: Attempting to send message to
> server.
> 2010/03/18 15:23:22 ossec-agent: DEBUG: Sending message to server:
> 'Application Found: Chat/IM - MSN. File: C:\Program Files\Messenger.
> Reference: http://www.msn.com .'
> 2010/03/18 15:23:23 ossec-agent: DEBUG: Going into check_rc_dev
> 2010/03/18 15:23:23 ossec-agent: DEBUG: Going into check_rc_sys
> 2010/03/18 15:23:23 ossec-agent: DEBUG: Starting on check_rc_sys
> 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_rc_pids
> 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_rc_ports
> 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_open_ports
> 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_rc_if
> 2010/03/18 15:23:25 ossec-agent: DEBUG: Completed with all checks.
> 2010/03/18 15:23:30 ossec-agent: DEBUG: Attempting to send message to
> server.
> 2010/03/18 15:23:30 ossec-agent: DEBUG: Sending message to server:
> 'Ending rootcheck scan.'
> 2010/03/18 15:23:30 ossec-agent: INFO: Ending rootcheck scan.
> 2010/03/18 15:23:30 ossec-agent: DEBUG: Leaving run_rk_check
> 2010/03/18 15:23:30 ossec-agent: INFO: Starting syscheck scan.
>
>
>
> <!-- Contents of /var/ossec/logs/ossec.log -->
>
> 2010/03/18 15:22:41 ossec-remoted(1403): ERROR: Incorrectly formated
> message from 'XXX.XXX.XXX.XXX'.
> 2010/03/18 15:23:01 ossec-remoted(1403): ERROR: Incorrectly formated
> message from 'XXX.XXX.XXX.XXX'.
> 2010/03/18 15:23:21 ossec-remoted(1403): ERROR: Incorrectly formated
> message from 'XXX.XXX.XXX.XXX'.
> 2010/03/18 15:23:41 ossec-remoted(1403): ERROR: Incorrectly formated
> message from 'XXX.XXX.XXX.XXX'.
> 2010/03/18 15:24:01 ossec-remoted(1403): ERROR: Incorrectly formated
> message from 'XXX.XXX.XXX.XXX'.
>
> The above messages refer to the same IP (which is another agent and
> not the Windows agent I am referring to here)
>
> <!-- OS Name -->
> Agent - Windows XP Pro SP3
>
>
>
> Any help is appreciated.
>
> Vipul.
>
> To unsubscribe from this group, send email to 
> ossec-list+unsubscribegooglegroups.com or reply to this email with the words 
> "REMOVE ME" as the subject.
>

To unsubscribe from this group, send email to 
ossec-list+unsubscribegooglegroups.com or reply to this email with the words 
"REMOVE ME" as the subject.

Reply via email to