Maybe combining the manual process monitoring with the check_diff option might help: http://www.ossec.net/dcid/?p=198
On Mon, Jul 12, 2010 at 4:45 PM, David Porcello <[email protected]> wrote: > Hi all, > > I'm attempting to replace my homebrew HIDS scripts with OSSEC for the sleek > central management and alerting. So far the log monitoring and > syscheck/rootcheck are working beautifully, but I can't figure how to do > baselining and anomaly detection for certain key intrusion areas, such as > process lists and listening TCP/UDP ports. > > Currently I run a script to compare the current list of Windows server > processes to the previous week's baseline. Basically it reports any new > processes that were not present the week before (based on the md5sum of the > process's image path). > > Seems like this sort of anomaly detection would fall under > syscheck/rootcheck, but syscheck is for system files only (not command > output, such as a process listing), and while rootcheck can look for specific > "known bad/good" patterns, it doesn't seem to support baselining and anomaly > detection. > > I also considered "manual process monitoring" > (http://www.ossec.net/main/manual/manual-process-monitoring/), but again only > pattern matching for known values is supported, and the frequency of these > checks doesn't appear customizable. > > Any ideas? > d. > > NOTICE: The information contained in this e-mail and any attachments is > intended solely for the recipient(s) named above, and may be confidential and > legally privileged. If you received this e-mail in error, please notify the > sender immediately by return e-mail and delete the original message and any > copy of it from your computer system. If you are not the intended recipient, > you are hereby notified that any review, disclosure, retransmission, > dissemination, distribution, copying, or other use of this e-mail, or any of > its contents, is strictly prohibited. > > Although this e-mail and any attachments are believed to be free of any virus > or other defects, it is the responsibility of the recipient to ensure that it > is virus-free and no responsibility is accepted by the sender for any loss or > damage arising if such a virus or defect exists. >
