Hey, Those are set as level 0 by default. You need to create a local rule for them to show up..
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Mar 26, 2010 at 12:46 PM, Vipul Gupta <[email protected]> wrote: > Hi Daniel, > The malware_rcl.txt worked. Thanks. > For the second issue, I enabled logall on the server and I could see all the > (malware) messages received by the server. However, the WUI is not showing > the alerts that malware was detected on the agent. Also, the Windows Audit > and Application alerts are also not shown on the WUI. Is there a particular > reason why the WUI is not showing those messages? > Please advise. > Thank you for all of your help. > Vipul. > > > On Wed, Mar 24, 2010 at 10:04 AM, Daniel Cid <[email protected]> wrote: >> >> Hey, >> >> Did you add that to the malware_rct.txt on the manager or on the >> agent? If you added on the manager, you have >> to wait until the manager pushes the file to the agent. >> >> Also, you can try to debug it bu running the ossec-rootcheck directly. >> >> thanks, >> >> -- >> Daniel B. Cid >> dcid ( at ) ossec.net >> >> On Tue, Mar 23, 2010 at 3:13 PM, Vipul Gupta <[email protected]> >> wrote: >> > Hi Daniel, >> > I still cannot get the registry entry to work. Here is what I have - >> > [Possible Mariposa Botnet] [any] [] >> > r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows >> > NT\CurrentVersion\Winlogon >> > -> Taskman -> r:C:\RECYCLER; >> > I made the above addition in the win_malware_rcl.txt file and then added >> > the >> > corresponding key in the registry. I do not get any alert for 'Possible >> > Mariposa Botnet'. Please advise. >> > I am trying to check if the above registry key has any value that begins >> > with C:\RECYCLER\..., then it should alert me. >> > I have also tried the following combinations but no success. >> > r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows >> > NT\CurrentVersion\Winlogon >> > -> Taskman -> r:C:\RECYCLER\*; >> > r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows >> > NT\CurrentVersion\Winlogon >> > -> Taskman -> =:C:\RECYCLER\*; >> > >> > Thank you for your help and time. >> > Vipul. >> > >> > >> > On Fri, Mar 19, 2010 at 2:53 PM, Daniel Cid <[email protected]> >> > wrote: >> >> >> >> Hi Vipul, >> >> >> >> Yes, you can use wildcards, but you have to specify the "r:" before >> >> using >> >> it: >> >> >> >> r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion >> >> \Winlogon -> Taskman -> r:C:\RECYCLER; >> >> >> >> >> >> If the agent is sending the events properly to the manager, you have to >> >> check if >> >> the rules are enabled for that event. Try enabling log_all to see if >> >> you >> >> get all >> >> the alerts. >> >> >> >> >> >> Thanks, >> >> >> >> -- >> >> Daniel B. Cid >> >> dcid ( at ) ossec.net >> >> >> >> >> >> >> >> On Thu, Mar 18, 2010 at 5:57 PM, Vipul_Gupta <[email protected]> >> >> wrote: >> >> > Hey All, >> >> > I have two questions. >> >> > >> >> > 1) Is it possible to use wildcards in win_malware_rcl.txt file? >> >> > >> >> > I am trying to monitor the following registry key such that if >> >> > "Taskman" has a value that begins with C:\RECYCLER and anything after >> >> > that, it should be reported as a possible malware. But it is not >> >> > working. >> >> > >> >> > r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion >> >> > \Winlogon -> Taskman -> =:C:\RECYCLER*; >> >> > >> >> > >> >> > 2) I changed some registry entries (in accordance with >> >> > win_malware_rcl.txt) for testing the malware detection. I checked the >> >> > ossec log at the agent and (in debug mode) found that the agent is >> >> > sending the messages to the server (regarding detected malware), but >> >> > they are not being reported at the WUI. >> >> > >> >> > >> >> > >> >> > >> >> > The relevant information is as follows - >> >> > >> >> > OSSEC version 2.3 >> >> > >> >> > >> >> > >> >> > <!--Contents of /etc/ossec-init.conf--> >> >> > >> >> > DIRECTORY="/var/ossec" >> >> > VERSION="v2.3" >> >> > DATE="Fri Feb 19 10:36:08 EST 2010" >> >> > TYPE="server" >> >> > >> >> > >> >> > >> >> > >> >> > <!-- Contents of C:\Program Files\ossec-agent\ossec.log --> >> >> > >> >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Attempting to send message to >> >> > server. >> >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Sending message to server: >> >> > 'Starting rootcheck scan.' >> >> > 2010/03/18 15:23:19 ossec-agent: INFO: Starting rootcheck scan. >> >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Starting on check_rc_winaudit >> >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking entry: 'Disabled >> >> > Registry tools set'. >> >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking registry: 'HKCU >> >> > \Software\Microsoft\Windows\CurrentVersion\Policies\System'. >> >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Condition ANY. >> >> > . >> >> > . SOME MORE AUDIT CHECKS DONE HERE >> >> > . >> >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking entry: 'Null >> >> > sessions >> >> > allowed'. >> >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking registry: >> >> > 'HKLM\System >> >> > \CurrentControlSet\Control\Lsa'. >> >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: found registry. >> >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Condition ANY. >> >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Attempting to send message to >> >> > server. >> >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Sending message to server: >> >> > 'Windows Audit: Null sessions allowed.' >> >> > >> >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Starting on >> >> > check_rc_winmalware >> >> > 2010/03/18 15:23:19 ossec-agent: DEBUG: Checking entry: 'Ginwui >> >> > Backdoor'. >> >> > 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking file: 'C:\WINDOWS >> >> > \System32\zsyhide.dll'. >> >> > 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY. >> >> > 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking file: 'C:\WINDOWS >> >> > \System32\zsydll.dll'. >> >> > 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY. >> >> > 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking registry: 'HKLM >> >> > \SOFTWARE\Microsoft\Windows >> >> > NT\CurrentVersion\Winlogon\Notify\zsydll'. >> >> > 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY. >> >> > 2010/03/18 15:23:20 ossec-agent: DEBUG: Checking registry: 'HKLM >> >> > \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows'. >> >> > 2010/03/18 15:23:20 ossec-agent: DEBUG: found registry. >> >> > 2010/03/18 15:23:20 ossec-agent: DEBUG: Condition ANY. >> >> > 2010/03/18 15:23:20 ossec-agent: DEBUG: Attempting to send message to >> >> > server. >> >> > 2010/03/18 15:23:20 ossec-agent: DEBUG: Sending message to server: >> >> > 'Windows Malware: Ginwui Backdoor. Reference: >> >> > http://www.iss.net/threats/ginwui.html >> >> > .' >> >> > . >> >> > . SOME MORE CHECKS FOR MALWARE >> >> > . >> >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking entry: 'Possible >> >> > Mariposa Botnet'. >> >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking registry: >> >> > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion >> >> > \Winlogon'. >> >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: found registry. >> >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: Condition ANY. >> >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: Attempting to send message to >> >> > server. >> >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: Sending message to server: >> >> > 'Windows Malware: Possible Mariposa Botnet.' >> >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking entry: 'Possible >> >> > Malware Gozi'. >> >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: Checking registry: >> >> > 'HKLM\SYSTEM >> >> > \CurrentControlSet\Control\Session Manager\AppCertDlls'. >> >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: found registry. >> >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: Condition ANY. >> >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: Attempting to send message to >> >> > server. >> >> > 2010/03/18 15:23:21 ossec-agent: DEBUG: Sending message to server: >> >> > 'Windows Malware: Possible Malware Gozi.' >> >> > >> >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Starting on check_rc_winapps >> >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking entry: 'Chat/IM - >> >> > MSN'. >> >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking registry: >> >> > 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSNMessenger'. >> >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. >> >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking registry: >> >> > 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSNMessenger'. >> >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. >> >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking file: 'C:\Program >> >> > Files\MSN Messenger'. >> >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. >> >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking file: 'C:\Program >> >> > Files\Messenger'. >> >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: found file. >> >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. >> >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Checking process: >> >> > 'r:msnmsgr.exe'. >> >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Condition ANY. >> >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Attempting to send message to >> >> > server. >> >> > 2010/03/18 15:23:22 ossec-agent: DEBUG: Sending message to server: >> >> > 'Application Found: Chat/IM - MSN. File: C:\Program Files\Messenger. >> >> > Reference: http://www.msn.com .' >> >> > 2010/03/18 15:23:23 ossec-agent: DEBUG: Going into check_rc_dev >> >> > 2010/03/18 15:23:23 ossec-agent: DEBUG: Going into check_rc_sys >> >> > 2010/03/18 15:23:23 ossec-agent: DEBUG: Starting on check_rc_sys >> >> > 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_rc_pids >> >> > 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_rc_ports >> >> > 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_open_ports >> >> > 2010/03/18 15:23:25 ossec-agent: DEBUG: Going into check_rc_if >> >> > 2010/03/18 15:23:25 ossec-agent: DEBUG: Completed with all checks. >> >> > 2010/03/18 15:23:30 ossec-agent: DEBUG: Attempting to send message to >> >> > server. >> >> > 2010/03/18 15:23:30 ossec-agent: DEBUG: Sending message to server: >> >> > 'Ending rootcheck scan.' >> >> > 2010/03/18 15:23:30 ossec-agent: INFO: Ending rootcheck scan. >> >> > 2010/03/18 15:23:30 ossec-agent: DEBUG: Leaving run_rk_check >> >> > 2010/03/18 15:23:30 ossec-agent: INFO: Starting syscheck scan. >> >> > >> >> > >> >> > >> >> > <!-- Contents of /var/ossec/logs/ossec.log --> >> >> > >> >> > 2010/03/18 15:22:41 ossec-remoted(1403): ERROR: Incorrectly formated >> >> > message from 'XXX.XXX.XXX.XXX'. >> >> > 2010/03/18 15:23:01 ossec-remoted(1403): ERROR: Incorrectly formated >> >> > message from 'XXX.XXX.XXX.XXX'. >> >> > 2010/03/18 15:23:21 ossec-remoted(1403): ERROR: Incorrectly formated >> >> > message from 'XXX.XXX.XXX.XXX'. >> >> > 2010/03/18 15:23:41 ossec-remoted(1403): ERROR: Incorrectly formated >> >> > message from 'XXX.XXX.XXX.XXX'. >> >> > 2010/03/18 15:24:01 ossec-remoted(1403): ERROR: Incorrectly formated >> >> > message from 'XXX.XXX.XXX.XXX'. >> >> > >> >> > The above messages refer to the same IP (which is another agent and >> >> > not the Windows agent I am referring to here) >> >> > >> >> > <!-- OS Name --> >> >> > Agent - Windows XP Pro SP3 >> >> > >> >> > >> >> > >> >> > Any help is appreciated. >> >> > >> >> > Vipul. >> > > > To unsubscribe from this group, send email to > ossec-list+unsubscribegooglegroups.com or reply to this email with the words > "REMOVE ME" as the subject. > To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
