Hi Vipul, Yes, you can use wildcards, but you have to specify the "r:" before using it:
r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion \Winlogon -> Taskman -> r:C:\RECYCLER; If the agent is sending the events properly to the manager, you have to check if the rules are enabled for that event. Try enabling log_all to see if you get all the alerts. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Thu, Mar 18, 2010 at 5:57 PM, Vipul_Gupta <[email protected]> wrote: > Hey All, > I have two questions. > > 1) Is it possible to use wildcards in win_malware_rcl.txt file? > > I am trying to monitor the following registry key such that if > "Taskman" has a value that begins with C:\RECYCLER and anything after > that, it should be reported as a possible malware. But it is not > working. > > r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion > \Winlogon -> Taskman -> =:C:\RECYCLER*; > > > 2) I changed some registry entries (in accordance with > win_malware_rcl.txt) for testing the malware detection. I checked the > ossec log at the agent and (in debug mode) found that the agent is > sending the messages to the server (regarding detected malware), but > they are not being reported at the WUI. > > > > > The relevant information is as follows - > > OSSEC version 2.3 > > > > <!--Contents of /etc/ossec-init.conf--> > > DIRECTORY="/var/ossec" > VERSION="v2.3" > DATE="Fri Feb 19 10:36:08 EST 2010" > TYPE="server" > > > > > <!-- Contents of C:\Program Files\ossec-agent\ossec.log --> > > 2010/03/18 15:23:19 ossec-agent: DEBUG: Attempting to send message to > server. > 2010/03/18 15:23:19 ossec-agent: DEBUG: Sending message to server: > 'Starting rootcheck scan.' > 2010/03/18 15:23:19 ossec-agent: INFO: Starting rootcheck scan. > 2010/03/18 15:23:19 ossec-agent: DEBUG: Starting on check_rc_winaudit > 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking entry: 'Disabled > Registry tools set'. > 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking registry: 'HKCU > \Software\Microsoft\Windows\CurrentVersion\Policies\System'. > 2010/03/18 15:23:19 ossec-agent: DEBUG: Condition ANY. > . > . SOME MORE AUDIT CHECKS DONE HERE > . > 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking entry: 'Null sessions > allowed'. > 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking registry: 'HKLM\System > \CurrentControlSet\Control\Lsa'. > 2010/03/18 15:23:19 ossec-agent: DEBUG: found registry. > 2010/03/18 15:23:19 ossec-agent: DEBUG: Condition ANY. > 2010/03/18 15:23:19 ossec-agent: DEBUG: Attempting to send message to > server. > 2010/03/18 15:23:19 ossec-agent: DEBUG: Sending message to server: > 'Windows Audit: Null sessions allowed.' > > 2010/03/18 15:23:19 ossec-agent: DEBUG: Starting on > check_rc_winmalware > 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking entry: 'Ginwui > Backdoor'. > 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking file: 'C:\WINDOWS > \System32\zsyhide.dll'. > 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY. > 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking file: 'C:\WINDOWS > \System32\zsydll.dll'. > 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY. > 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking registry: 'HKLM > \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zsydll'. > 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY. > 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking registry: 'HKLM > \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows'. > 2010/03/18 15:23:20 ossec-agent: DEBUG: found registry. > 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY. > 2010/03/18 15:23:20 ossec-agent: DEBUG: Attempting to send message to > server. > 2010/03/18 15:23:20 ossec-agent: DEBUG: Sending message to server: > 'Windows Malware: Ginwui Backdoor. Reference: > http://www.iss.net/threats/ginwui.html > .' > . > . SOME MORE CHECKS FOR MALWARE > . > 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking entry: 'Possible > Mariposa Botnet'. > 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking registry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion > \Winlogon'. > 2010/03/18 15:23:21 ossec-agent: DEBUG: found registry. > 2010/03/18 15:23:21 ossec-agent: DEBUG: Condition ANY. > 2010/03/18 15:23:21 ossec-agent: DEBUG: Attempting to send message to > server. > 2010/03/18 15:23:21 ossec-agent: DEBUG: Sending message to server: > 'Windows Malware: Possible Mariposa Botnet.' > 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking entry: 'Possible > Malware Gozi'. > 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking registry: 'HKLM\SYSTEM > \CurrentControlSet\Control\Session Manager\AppCertDlls'. > 2010/03/18 15:23:21 ossec-agent: DEBUG: found registry. > 2010/03/18 15:23:21 ossec-agent: DEBUG: Condition ANY. > 2010/03/18 15:23:21 ossec-agent: DEBUG: Attempting to send message to > server. > 2010/03/18 15:23:21 ossec-agent: DEBUG: Sending message to server: > 'Windows Malware: Possible Malware Gozi.' > > 2010/03/18 15:23:22 ossec-agent: DEBUG: Starting on check_rc_winapps > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking entry: 'Chat/IM - > MSN'. > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking registry: > 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSNMessenger'. > 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking registry: > 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSNMessenger'. > 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking file: 'C:\Program > Files\MSN Messenger'. > 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking file: 'C:\Program > Files\Messenger'. > 2010/03/18 15:23:22 ossec-agent: DEBUG: found file. > 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking process: > 'r:msnmsgr.exe'. > 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. > 2010/03/18 15:23:22 ossec-agent: DEBUG: Attempting to send message to > server. > 2010/03/18 15:23:22 ossec-agent: DEBUG: Sending message to server: > 'Application Found: Chat/IM - MSN. File: C:\Program Files\Messenger. > Reference: http://www.msn.com .' > 2010/03/18 15:23:23 ossec-agent: DEBUG: Going into check_rc_dev > 2010/03/18 15:23:23 ossec-agent: DEBUG: Going into check_rc_sys > 2010/03/18 15:23:23 ossec-agent: DEBUG: Starting on check_rc_sys > 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_rc_pids > 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_rc_ports > 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_open_ports > 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_rc_if > 2010/03/18 15:23:25 ossec-agent: DEBUG: Completed with all checks. > 2010/03/18 15:23:30 ossec-agent: DEBUG: Attempting to send message to > server. > 2010/03/18 15:23:30 ossec-agent: DEBUG: Sending message to server: > 'Ending rootcheck scan.' > 2010/03/18 15:23:30 ossec-agent: INFO: Ending rootcheck scan. > 2010/03/18 15:23:30 ossec-agent: DEBUG: Leaving run_rk_check > 2010/03/18 15:23:30 ossec-agent: INFO: Starting syscheck scan. > > > > <!-- Contents of /var/ossec/logs/ossec.log --> > > 2010/03/18 15:22:41 ossec-remoted(1403): ERROR: Incorrectly formated > message from 'XXX.XXX.XXX.XXX'. > 2010/03/18 15:23:01 ossec-remoted(1403): ERROR: Incorrectly formated > message from 'XXX.XXX.XXX.XXX'. > 2010/03/18 15:23:21 ossec-remoted(1403): ERROR: Incorrectly formated > message from 'XXX.XXX.XXX.XXX'. > 2010/03/18 15:23:41 ossec-remoted(1403): ERROR: Incorrectly formated > message from 'XXX.XXX.XXX.XXX'. > 2010/03/18 15:24:01 ossec-remoted(1403): ERROR: Incorrectly formated > message from 'XXX.XXX.XXX.XXX'. > > The above messages refer to the same IP (which is another agent and > not the Windows agent I am referring to here) > > <!-- OS Name --> > Agent - Windows XP Pro SP3 > > > > Any help is appreciated. > > Vipul. > > To unsubscribe from this group, send email to > ossec-list+unsubscribegooglegroups.com or reply to this email with the words > "REMOVE ME" as the subject. > To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
