Hi Daniel, I still cannot get the registry entry to work. Here is what I have -
[Possible Mariposa Botnet] [any] [] r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> Taskman -> r:C:\RECYCLER; I made the above addition in the win_malware_rcl.txt file and then added the corresponding key in the registry. I do not get any alert for 'Possible Mariposa Botnet'. Please advise. I am trying to check if the above registry key has any value that begins with C:\RECYCLER\..., then it should alert me. I have also tried the following combinations but no success. r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> Taskman -> r:C:\RECYCLER\*; r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> Taskman -> =:C:\RECYCLER\*; Thank you for your help and time. Vipul. On Fri, Mar 19, 2010 at 2:53 PM, Daniel Cid <[email protected]> wrote: > Hi Vipul, > > Yes, you can use wildcards, but you have to specify the "r:" before using > it: > > r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion > \Winlogon -> Taskman -> r:C:\RECYCLER; > > > If the agent is sending the events properly to the manager, you have to > check if > the rules are enabled for that event. Try enabling log_all to see if you > get all > the alerts. > > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > > On Thu, Mar 18, 2010 at 5:57 PM, Vipul_Gupta <[email protected]> > wrote: > > Hey All, > > I have two questions. > > > > 1) Is it possible to use wildcards in win_malware_rcl.txt file? > > > > I am trying to monitor the following registry key such that if > > "Taskman" has a value that begins with C:\RECYCLER and anything after > > that, it should be reported as a possible malware. But it is not > > working. > > > > r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion > > \Winlogon -> Taskman -> =:C:\RECYCLER*; > > > > > > 2) I changed some registry entries (in accordance with > > win_malware_rcl.txt) for testing the malware detection. I checked the > > ossec log at the agent and (in debug mode) found that the agent is > > sending the messages to the server (regarding detected malware), but > > they are not being reported at the WUI. > > > > > > > > > > The relevant information is as follows - > > > > OSSEC version 2.3 > > > > > > > > <!--Contents of /etc/ossec-init.conf--> > > > > DIRECTORY="/var/ossec" > > VERSION="v2.3" > > DATE="Fri Feb 19 10:36:08 EST 2010" > > TYPE="server" > > > > > > > > > > <!-- Contents of C:\Program Files\ossec-agent\ossec.log --> > > > > 2010/03/18 15:23:19 ossec-agent: DEBUG: Attempting to send message to > > server. > > 2010/03/18 15:23:19 ossec-agent: DEBUG: Sending message to server: > > 'Starting rootcheck scan.' > > 2010/03/18 15:23:19 ossec-agent: INFO: Starting rootcheck scan. > > 2010/03/18 15:23:19 ossec-agent: DEBUG: Starting on check_rc_winaudit > > 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking entry: 'Disabled > > Registry tools set'. > > 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking registry: 'HKCU > > \Software\Microsoft\Windows\CurrentVersion\Policies\System'. > > 2010/03/18 15:23:19 ossec-agent: DEBUG: Condition ANY. > > . > > . SOME MORE AUDIT CHECKS DONE HERE > > . > > 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking entry: 'Null sessions > > allowed'. > > 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking registry: 'HKLM\System > > \CurrentControlSet\Control\Lsa'. > > 2010/03/18 15:23:19 ossec-agent: DEBUG: found registry. > > 2010/03/18 15:23:19 ossec-agent: DEBUG: Condition ANY. > > 2010/03/18 15:23:19 ossec-agent: DEBUG: Attempting to send message to > > server. > > 2010/03/18 15:23:19 ossec-agent: DEBUG: Sending message to server: > > 'Windows Audit: Null sessions allowed.' > > > > 2010/03/18 15:23:19 ossec-agent: DEBUG: Starting on > > check_rc_winmalware > > 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking entry: 'Ginwui > > Backdoor'. > > 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking file: 'C:\WINDOWS > > \System32\zsyhide.dll'. > > 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY. > > 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking file: 'C:\WINDOWS > > \System32\zsydll.dll'. > > 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY. > > 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking registry: 'HKLM > > \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zsydll'. > > 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY. > > 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking registry: 'HKLM > > \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows'. > > 2010/03/18 15:23:20 ossec-agent: DEBUG: found registry. > > 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY. > > 2010/03/18 15:23:20 ossec-agent: DEBUG: Attempting to send message to > > server. > > 2010/03/18 15:23:20 ossec-agent: DEBUG: Sending message to server: > > 'Windows Malware: Ginwui Backdoor. Reference: > http://www.iss.net/threats/ginwui.html > > .' > > . > > . SOME MORE CHECKS FOR MALWARE > > . > > 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking entry: 'Possible > > Mariposa Botnet'. > > 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking registry: > > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion > > \Winlogon'. > > 2010/03/18 15:23:21 ossec-agent: DEBUG: found registry. > > 2010/03/18 15:23:21 ossec-agent: DEBUG: Condition ANY. > > 2010/03/18 15:23:21 ossec-agent: DEBUG: Attempting to send message to > > server. > > 2010/03/18 15:23:21 ossec-agent: DEBUG: Sending message to server: > > 'Windows Malware: Possible Mariposa Botnet.' > > 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking entry: 'Possible > > Malware Gozi'. > > 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking registry: 'HKLM\SYSTEM > > \CurrentControlSet\Control\Session Manager\AppCertDlls'. > > 2010/03/18 15:23:21 ossec-agent: DEBUG: found registry. > > 2010/03/18 15:23:21 ossec-agent: DEBUG: Condition ANY. > > 2010/03/18 15:23:21 ossec-agent: DEBUG: Attempting to send message to > > server. > > 2010/03/18 15:23:21 ossec-agent: DEBUG: Sending message to server: > > 'Windows Malware: Possible Malware Gozi.' > > > > 2010/03/18 15:23:22 ossec-agent: DEBUG: Starting on check_rc_winapps > > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking entry: 'Chat/IM - > > MSN'. > > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking registry: > > 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSNMessenger'. > > 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. > > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking registry: > > 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSNMessenger'. > > 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. > > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking file: 'C:\Program > > Files\MSN Messenger'. > > 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. > > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking file: 'C:\Program > > Files\Messenger'. > > 2010/03/18 15:23:22 ossec-agent: DEBUG: found file. > > 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. > > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking process: > > 'r:msnmsgr.exe'. > > 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. > > 2010/03/18 15:23:22 ossec-agent: DEBUG: Attempting to send message to > > server. > > 2010/03/18 15:23:22 ossec-agent: DEBUG: Sending message to server: > > 'Application Found: Chat/IM - MSN. File: C:\Program Files\Messenger. > > Reference: http://www.msn.com .' > > 2010/03/18 15:23:23 ossec-agent: DEBUG: Going into check_rc_dev > > 2010/03/18 15:23:23 ossec-agent: DEBUG: Going into check_rc_sys > > 2010/03/18 15:23:23 ossec-agent: DEBUG: Starting on check_rc_sys > > 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_rc_pids > > 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_rc_ports > > 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_open_ports > > 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_rc_if > > 2010/03/18 15:23:25 ossec-agent: DEBUG: Completed with all checks. > > 2010/03/18 15:23:30 ossec-agent: DEBUG: Attempting to send message to > > server. > > 2010/03/18 15:23:30 ossec-agent: DEBUG: Sending message to server: > > 'Ending rootcheck scan.' > > 2010/03/18 15:23:30 ossec-agent: INFO: Ending rootcheck scan. > > 2010/03/18 15:23:30 ossec-agent: DEBUG: Leaving run_rk_check > > 2010/03/18 15:23:30 ossec-agent: INFO: Starting syscheck scan. > > > > > > > > <!-- Contents of /var/ossec/logs/ossec.log --> > > > > 2010/03/18 15:22:41 ossec-remoted(1403): ERROR: Incorrectly formated > > message from 'XXX.XXX.XXX.XXX'. > > 2010/03/18 15:23:01 ossec-remoted(1403): ERROR: Incorrectly formated > > message from 'XXX.XXX.XXX.XXX'. > > 2010/03/18 15:23:21 ossec-remoted(1403): ERROR: Incorrectly formated > > message from 'XXX.XXX.XXX.XXX'. > > 2010/03/18 15:23:41 ossec-remoted(1403): ERROR: Incorrectly formated > > message from 'XXX.XXX.XXX.XXX'. > > 2010/03/18 15:24:01 ossec-remoted(1403): ERROR: Incorrectly formated > > message from 'XXX.XXX.XXX.XXX'. > > > > The above messages refer to the same IP (which is another agent and > > not the Windows agent I am referring to here) > > > > <!-- OS Name --> > > Agent - Windows XP Pro SP3 > > > > > > > > Any help is appreciated. > > > > Vipul. > > > > To unsubscribe from this group, send email to ossec-list+ > unsubscribegooglegroups.com or reply to this email with the words "REMOVE > ME" as the subject. > > > > To unsubscribe from this group, send email to ossec-list+ > unsubscribegooglegroups.com or reply to this email with the words "REMOVE > ME" as the subject. > -- Vipul Gupta Department of Computer Science & Engineering, University of South Carolina. To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
