Hey, Did you add that to the malware_rct.txt on the manager or on the agent? If you added on the manager, you have to wait until the manager pushes the file to the agent.
Also, you can try to debug it bu running the ossec-rootcheck directly. thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Mar 23, 2010 at 3:13 PM, Vipul Gupta <[email protected]> wrote: > Hi Daniel, > I still cannot get the registry entry to work. Here is what I have - > [Possible Mariposa Botnet] [any] [] > r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon > -> Taskman -> r:C:\RECYCLER; > I made the above addition in the win_malware_rcl.txt file and then added the > corresponding key in the registry. I do not get any alert for 'Possible > Mariposa Botnet'. Please advise. > I am trying to check if the above registry key has any value that begins > with C:\RECYCLER\..., then it should alert me. > I have also tried the following combinations but no success. > r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon > -> Taskman -> r:C:\RECYCLER\*; > r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon > -> Taskman -> =:C:\RECYCLER\*; > > Thank you for your help and time. > Vipul. > > > On Fri, Mar 19, 2010 at 2:53 PM, Daniel Cid <[email protected]> wrote: >> >> Hi Vipul, >> >> Yes, you can use wildcards, but you have to specify the "r:" before using >> it: >> >> r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion >> \Winlogon -> Taskman -> r:C:\RECYCLER; >> >> >> If the agent is sending the events properly to the manager, you have to >> check if >> the rules are enabled for that event. Try enabling log_all to see if you >> get all >> the alerts. >> >> >> Thanks, >> >> -- >> Daniel B. Cid >> dcid ( at ) ossec.net >> >> >> >> On Thu, Mar 18, 2010 at 5:57 PM, Vipul_Gupta <[email protected]> >> wrote: >> > Hey All, >> > I have two questions. >> > >> > 1) Is it possible to use wildcards in win_malware_rcl.txt file? >> > >> > I am trying to monitor the following registry key such that if >> > "Taskman" has a value that begins with C:\RECYCLER and anything after >> > that, it should be reported as a possible malware. But it is not >> > working. >> > >> > r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion >> > \Winlogon -> Taskman -> =:C:\RECYCLER*; >> > >> > >> > 2) I changed some registry entries (in accordance with >> > win_malware_rcl.txt) for testing the malware detection. I checked the >> > ossec log at the agent and (in debug mode) found that the agent is >> > sending the messages to the server (regarding detected malware), but >> > they are not being reported at the WUI. >> > >> > >> > >> > >> > The relevant information is as follows - >> > >> > OSSEC version 2.3 >> > >> > >> > >> > <!--Contents of /etc/ossec-init.conf--> >> > >> > DIRECTORY="/var/ossec" >> > VERSION="v2.3" >> > DATE="Fri Feb 19 10:36:08 EST 2010" >> > TYPE="server" >> > >> > >> > >> > >> > <!-- Contents of C:\Program Files\ossec-agent\ossec.log --> >> > >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Attempting to send message to >> > server. >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Sending message to server: >> > 'Starting rootcheck scan.' >> > 2010/03/18 15:23:19 ossec-agent: INFO: Starting rootcheck scan. >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Starting on check_rc_winaudit >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking entry: 'Disabled >> > Registry tools set'. >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking registry: 'HKCU >> > \Software\Microsoft\Windows\CurrentVersion\Policies\System'. >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Condition ANY. >> > . >> > . SOME MORE AUDIT CHECKS DONE HERE >> > . >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking entry: 'Null sessions >> > allowed'. >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking registry: 'HKLM\System >> > \CurrentControlSet\Control\Lsa'. >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: found registry. >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Condition ANY. >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Attempting to send message to >> > server. >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Sending message to server: >> > 'Windows Audit: Null sessions allowed.' >> > >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Starting on >> > check_rc_winmalware >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking entry: 'Ginwui >> > Backdoor'. >> > 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking file: 'C:\WINDOWS >> > \System32\zsyhide.dll'. >> > 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY. >> > 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking file: 'C:\WINDOWS >> > \System32\zsydll.dll'. >> > 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY. >> > 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking registry: 'HKLM >> > \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zsydll'. >> > 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY. >> > 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking registry: 'HKLM >> > \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows'. >> > 2010/03/18 15:23:20 ossec-agent: DEBUG: found registry. >> > 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY. >> > 2010/03/18 15:23:20 ossec-agent: DEBUG: Attempting to send message to >> > server. >> > 2010/03/18 15:23:20 ossec-agent: DEBUG: Sending message to server: >> > 'Windows Malware: Ginwui Backdoor. Reference: >> > http://www.iss.net/threats/ginwui.html >> > .' >> > . >> > . SOME MORE CHECKS FOR MALWARE >> > . >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking entry: 'Possible >> > Mariposa Botnet'. >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking registry: >> > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion >> > \Winlogon'. >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: found registry. >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: Condition ANY. >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: Attempting to send message to >> > server. >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: Sending message to server: >> > 'Windows Malware: Possible Mariposa Botnet.' >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking entry: 'Possible >> > Malware Gozi'. >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking registry: 'HKLM\SYSTEM >> > \CurrentControlSet\Control\Session Manager\AppCertDlls'. >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: found registry. >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: Condition ANY. >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: Attempting to send message to >> > server. >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: Sending message to server: >> > 'Windows Malware: Possible Malware Gozi.' >> > >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Starting on check_rc_winapps >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking entry: 'Chat/IM - >> > MSN'. >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking registry: >> > 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSNMessenger'. >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking registry: >> > 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSNMessenger'. >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking file: 'C:\Program >> > Files\MSN Messenger'. >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking file: 'C:\Program >> > Files\Messenger'. >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: found file. >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking process: >> > 'r:msnmsgr.exe'. >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Attempting to send message to >> > server. >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Sending message to server: >> > 'Application Found: Chat/IM - MSN. File: C:\Program Files\Messenger. >> > Reference: http://www.msn.com .' >> > 2010/03/18 15:23:23 ossec-agent: DEBUG: Going into check_rc_dev >> > 2010/03/18 15:23:23 ossec-agent: DEBUG: Going into check_rc_sys >> > 2010/03/18 15:23:23 ossec-agent: DEBUG: Starting on check_rc_sys >> > 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_rc_pids >> > 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_rc_ports >> > 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_open_ports >> > 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_rc_if >> > 2010/03/18 15:23:25 ossec-agent: DEBUG: Completed with all checks. >> > 2010/03/18 15:23:30 ossec-agent: DEBUG: Attempting to send message to >> > server. >> > 2010/03/18 15:23:30 ossec-agent: DEBUG: Sending message to server: >> > 'Ending rootcheck scan.' >> > 2010/03/18 15:23:30 ossec-agent: INFO: Ending rootcheck scan. >> > 2010/03/18 15:23:30 ossec-agent: DEBUG: Leaving run_rk_check >> > 2010/03/18 15:23:30 ossec-agent: INFO: Starting syscheck scan. >> > >> > >> > >> > <!-- Contents of /var/ossec/logs/ossec.log --> >> > >> > 2010/03/18 15:22:41 ossec-remoted(1403): ERROR: Incorrectly formated >> > message from 'XXX.XXX.XXX.XXX'. >> > 2010/03/18 15:23:01 ossec-remoted(1403): ERROR: Incorrectly formated >> > message from 'XXX.XXX.XXX.XXX'. >> > 2010/03/18 15:23:21 ossec-remoted(1403): ERROR: Incorrectly formated >> > message from 'XXX.XXX.XXX.XXX'. >> > 2010/03/18 15:23:41 ossec-remoted(1403): ERROR: Incorrectly formated >> > message from 'XXX.XXX.XXX.XXX'. >> > 2010/03/18 15:24:01 ossec-remoted(1403): ERROR: Incorrectly formated >> > message from 'XXX.XXX.XXX.XXX'. >> > >> > The above messages refer to the same IP (which is another agent and >> > not the Windows agent I am referring to here) >> > >> > <!-- OS Name --> >> > Agent - Windows XP Pro SP3 >> > >> > >> > >> > Any help is appreciated. >> > >> > Vipul. >> > >> > To unsubscribe from this group, send email to >> > ossec-list+unsubscribegooglegroups.com or reply to this email with the >> > words >> > "REMOVE ME" as the subject. >> > >> >> To unsubscribe from this group, send email to >> ossec-list+unsubscribegooglegroups.com or reply to this email with the words >> "REMOVE ME" as the subject. > > > > -- > Vipul Gupta > > Department of Computer Science & Engineering, > University of South Carolina. > > To unsubscribe from this group, send email to > ossec-list+unsubscribegooglegroups.com or reply to this email with the words > "REMOVE ME" as the subject. > To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
