Couple question to make sure I have my wrapped around this thing.
If I want to centrally manage agents I create:
/var/ossec/etc/shared/agent.conf
on the ossec server
I can control it by the agentname in this file if I want to be more
specific for each agent?
So now lets say I want to monitor some run keys in current user. I add
<windows_registry>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
to the Registry entry's. Now I would need to create a rule in
the local_rules.xml specific to the run key I want to know changes with? I
suspect this is a snapshot in time and then you check difference? Maybe
have it check every 24 hours or something. Meaning you can not create
rules based on registry changes in real time?
Could I do it similiar to the USB storage check with checkdiff?
<agent_config os="windows">
<localfile>
<log_format>full_command</log_format>
<command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
</localfile></agent_config>
Next create a local rule for that command:
<rule id="140125" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'reg QUERY</match>
<check_diff />
<description>New USB device connected</description></rule>
So in the ossec.conf or agent.conf
<agent_config os="windows">
<localfile>
<log_format>full_command</log_format>
<command>reg QUERY
HKCU\Software\Microsoft\Windows\CurrentVersion\Run</command>
</localfile></agent_config>
Then in local_rules.xml
<rule id="140125" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'reg QUERY</match>
<check_diff />
<description>New Run Key in HK Current User created</description></rule>
Or am I all wet and there is a better way,
Again be easy on me I am a noob!
Thanks
Tom
--
Tom O'Brion
Twitter: @tobrion
Skype: TomOBrion
"Life is too short to spend time with people who suck the happy out of you."
