On Mon, Oct 29, 2012 at 3:31 PM, Tom OBrion <[email protected]> wrote: > Couple question to make sure I have my wrapped around this thing. > > If I want to centrally manage agents I create: > /var/ossec/etc/shared/agent.conf > on the ossec server > > I can control it by the agentname in this file if I want to be more specific > for each agent? >
Correct: http://ossec.net/doc/manual/agent/agent-configuration.html > So now lets say I want to monitor some run keys in current user. I add > > <windows_registry>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry> > > to the Registry entry's. Now I would need to create a rule in the > local_rules.xml specific to the run key I want to know changes with? I I don't think so. The generic syscheck rules should take care of this. > suspect this is a snapshot in time and then you check difference? Maybe > have it check every 24 hours or something. Meaning you can not create rules > based on registry changes in real time? > > Could I do it similiar to the USB storage check with checkdiff? > You could do it this way, but not from agent.conf. commands and full_commands have been disabled from the agent.conf. You can enable it on the agent in the internal_options.conf if you'd like though. > <agent_config os="windows"> > <localfile> > <log_format>full_command</log_format> > <command>reg QUERY > HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command> > </localfile> > </agent_config> > > Next create a local rule for that command: > > <rule id="140125" level="7"> > <if_sid>530</if_sid> > <match>ossec: output: 'reg QUERY</match> > <check_diff /> > <description>New USB device connected</description> > </rule> > > So in the ossec.conf or agent.conf > > <agent_config os="windows"> > <localfile> > <log_format>full_command</log_format> > <command>reg QUERY > HKCU\Software\Microsoft\Windows\CurrentVersion\Run</command> > </localfile> > </agent_config> > > Then in local_rules.xml > > <rule id="140125" level="7"> > <if_sid>530</if_sid> > <match>ossec: output: 'reg QUERY</match> I prefer to use an <alias> in the localfile configuration and match on that instead. That may just be my preference though. > <check_diff /> > <description>New Run Key in HK Current User created</description> > </rule> > > Or am I all wet and there is a better way, > > > Again be easy on me I am a noob! > > Thanks > > Tom > > > -- > Tom O'Brion > Twitter: @tobrion > Skype: TomOBrion > > "Life is too short to spend time with people who suck the happy out of you." >
