On Mon, Sep 5, 2011 at 2:54 PM, dan (ddp) <[email protected]> wrote: > On Wed, Aug 17, 2011 at 5:22 AM, Demmy Adeyemo > <[email protected]> wrote: >> Hi Dan >> >> Thanks for your reply. on the ossec manual it says the value specified >> in the frequency tag is in seconds, so i assumed 120 should be about 2 >> minutes. from my logs, it shows that it takes less than a minute for >> it to run, >> >> 2011/08/11 12:33:57 ossec-agent: INFO: Starting rootcheck scan. >> >> 2011/08/11 12:34:04 ossec-agent: INFO: Ending rootcheck scan. >> >> 2011/08/11 12:39:05 ossec-agent: INFO: Starting rootcheck scan. >> >> 2011/08/11 12:39:10 ossec-agent: INFO: Ending rootcheck scan. >> >> 2011/08/11 12:44:13 ossec-agent: INFO: Starting rootcheck scan. >> >> 2011/08/11 12:44:35 ossec-agent: INFO: Ending rootcheck scan. >> >> As shown even at <frequency>120</frequency> it runs every 5 minutes. >> >> How does ossec calculate the frequency cycle, can i possibly alter >> that file to decrease the frequency cycle >> OR >> >> How else can i make ossec monitor an alert on prohibited windows >> application running in real time? >> >> Thanks in advance >> > > I don't know how to do this. The OSSEC code is open source, so you can > try to figure out how to make it run quicker. >
Thinking about it for another second, there's probably a way to audit for executables that are run on a Windows system. Creating a rule to look for that audit log message and filtering on the allowed applications might be a way to get around the problems above.
