[ossec-list] Re: Testing Windows Registry Integrity (with links this time)

Thu, 24 Jan 2013 05:47:53 -0800 

I now have

-rw-r-----. 1 ossec ossec 1.9M Jan 24 04:13 (rosie) 192.168.56.55->syscheck
-rw-r--r--. 1 ossec ossec 515K Jan 23 15:40 (rosie) 
192.168.56.55->syscheck-registry

Now when I run syscheck control again I get:

./syscheck_control -r -i 003

Integrity changes for 'Windows Registry' of agent 'rosie (003) - 
192.168.56.55':

Changes for 2013 Jan 21:
2013 Jan 21 16:28:43,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cdrom\Parameters\Wdf
2013 Jan 21 16:28:43,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf
2013 Jan 21 16:28:46,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf
2013 Jan 21 16:28:46,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf
2013 Jan 21 16:28:46,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
2013 Jan 21 16:28:46,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf
2013 Jan 21 16:28:46,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf
2013 Jan 21 16:28:46,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mssmbios\Data
2013 Jan 21 16:28:47,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PEAUTH\Parameters\Wdf
2013 Jan 21 16:28:48,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch
2013 Jan 21 16:28:48,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2
2013 Jan 21 16:28:49,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52CBCC65-4924-4C76-8CAB-663395DADE0B}
2013 Jan 21 16:28:49,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf
2013 Jan 21 16:28:49,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf
2013 Jan 21 16:28:49,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap
2013 Jan 21 18:36:32,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52CBCC65-4924-4C76-8CAB-663395DADE0B}
2013 Jan 21 20:44:17,2 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52CBCC65-4924-4C76-8CAB-663395DADE0B}
2013 Jan 21 22:52:07,3 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52CBCC65-4924-4C76-8CAB-663395DADE0B}

Changes for 2013 Jan 23:
2013 Jan 23 09:16:47,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cdrom\Parameters\Wdf
2013 Jan 23 09:16:47,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf
2013 Jan 23 09:16:49,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf
2013 Jan 23 09:16:49,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf
2013 Jan 23 09:16:50,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
2013 Jan 23 09:16:50,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf
2013 Jan 23 09:16:50,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf
2013 Jan 23 09:16:50,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mssmbios\Data
2013 Jan 23 09:16:50,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PEAUTH\Parameters\Wdf
2013 Jan 23 09:16:52,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch
2013 Jan 23 09:16:52,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2
2013 Jan 23 09:16:53,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf
2013 Jan 23 09:16:53,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf
2013 Jan 23 09:16:53,0 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap
2013 Jan 23 13:32:22,2 - 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap

This is encouraging. However, it's not picking up on the changes I've made 
to the Run or RunOnce keys. In /var/ossec/queue/syscheck I can look at 

+++0:0:0:0:80640fadf76929bd834b1db57d81b3da:38a54bd36626485510f2c69212497bc371aaccf0
 
!1358973626 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
+++0:0:0:0:378cac70f45abb5b68ee3ec8fe61ce05:48d95e62dcb381b85cb580b967a1dea4b474fd29
 
!1358973631 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Test

Both of those epoch values correspond to yesterday afternoon. This is when 
I changed them, but I'm not getting an alert listed when I run 
syscheck_control -r -i 003

Thanks,
George

On Wednesday, January 23, 2013 10:20:37 PM UTC-5, Jb Cheng wrote:
>
> The file under queue/syscheck has size 0.  This is not normal. 
> -rw-r--r--. 1 ossec ossec    0 Jan 21 13:26 (rosie) 
> 192.168.56.55->syscheck-registry
>
> A typical Windows agent with syscheck enabled should have many entries in 
> this file. 
> What is the size of another syscheck file: (rosie) 
> 192.168.56.55->syscheck ?
>
>
> On Monday, January 21, 2013 11:49:07 AM UTC-8, George Ehrhorn wrote:
>>
>> Testing OSSEC 2.7 on Win2k8. I have file integrity checking working. I'm 
>> working on testing changes to registry keys. In my ossec.conf (
>> http://pastebin.com/NR8UKt6B) I have:
>>
>>     
>> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
>>
>> When Ossec runs I see:
>>
>> 2013/01/21 14:00:42 ossec-agent: INFO: Monitoring registry entry: 
>> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'.
>>
>> My workflow to test it is:
>>
>>
>>    1. Start OSSEC agent, let it send all data to the server
>>    2. I've made two changes to this key: added a dword to that path and 
>>    adding a subkey (http://imgur.com/K1yR95c).
>>    3. Restart OSSEC agent from manage agent, let it send all data to the 
>>    server. 
>>    
>> In the server I see:
>>
>> [root@skinner /var/ossec/bin]
>>  158# ./syscheck_control -r -i 003
>>
>> Integrity changes for 'Windows Registry' of agent 'rosie (003) - 
>> 192.168.56.55':
>>
>> ** No entries found.
>>
>> My syscheck-registry file in /var/ossec/queue/syscheck for the "rosie" 
>> agent shows:
>>
>> -rw-r--r--. 1 ossec ossec    0 Jan 21 13:26 (rosie) 
>> 192.168.56.55->syscheck-registry
>>
>> So there are no entries. 
>>
>> Should the changes I made be recognized as changes by OSSEC? If yes, 
>> where should I look next for what may be going wrong.
>>
>> Thanks,
>> George
>>
>> (Sorry for the repeat messages. I can't make a post with files attached).
>>
>

--

Reply via email to