Thanks. As I read in the ossec doc, realtime option is only for directories. But I'll check it. :)
On Thursday, May 2, 2013 9:21:42 PM UTC+5:30, dan (ddpbsd) wrote: > > On Thu, May 2, 2013 at 11:39 AM, Ruwan Geeganage > <[email protected]<javascript:>> > wrote: > > I'm not sure whether it works real time. > > I also want to know that. > > and I also want to configure if its possible. > > Add the realtime option to your windows_registry setting. See if it > works. Report back. > > > Because for my work, registry modification alerts are critical > > > > On Thursday, May 2, 2013 7:34:09 PM UTC+5:30, dan (ddpbsd) wrote: > >> > >> On Thu, May 2, 2013 at 10:01 AM, Ruwan Geeganage <[email protected]> > >> wrote: > >> > I have added the following rule to /var/ossec/rules. > >> > > >> > <rule id="150000" level="9"> > >> > <category>ossec</category> > >> > <match>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</match> > >> > <decoded_as>syscheck_integrity_changed</decoded_as> > >> > <description>Registry Modified</description> > >> > <group>syscheck,</group> > >> > </rule> > >> > and i restart the ossec server by /etc/init.d/ossec restart > >> > > >> > > >> > But I'm not getting real time alert (as soon as registry entry > modified) > >> > . > >> > Please help.. > >> > > >> > >> Are you sure registry checks work in real time? How do you have it > >> configured? > >> > >> > > >> > On Thursday, May 2, 2013 9:06:52 AM UTC+5:30, Ruwan Geeganage wrote: > >> >> > >> >> Thanks I'll try those options. > >> >> > >> >> Thanks a lot.. > >> >> > >> >> On Thursday, May 2, 2013 5:45:31 AM UTC+5:30, lostinthetubez wrote: > >> >>> > >> >>> Look at the realtime option for syscheck: > >> >>> http://www.ossec.net/doc/manual/syscheck/ > >> >>> > >> >>> I also recommend turning auto_ignore off, so you will continue to > be > >> >>> notified after the 3rd change detection. Stick > >> >>> <auto_ignore>no</auto_ignore> > >> >>> into the syscheck portion of your ossec.conf. > >> >>> > >> >>> > >> >>> > >> >>> You might also wish to look at the do_not_delay email option: > >> >>> http://www.ossec.net/doc/syntax/head_ossec_config.email_alerts.html > >> >>> > >> >>> > >> >>> > >> >>> No idea about OSSIM. I don’t use it. > >> >>> > >> >>> > >> >>> > >> >>> From: [email protected] [mailto:[email protected]] > On > >> >>> Behalf Of Ruwan Geeganage > >> >>> Sent: Wednesday, May 01, 2013 9:33 AM > >> >>> To: [email protected] > >> >>> Subject: Re: [ossec-list] OSSEC windows agent - Registry > modification > >> >>> alerts > >> >>> > >> >>> > >> >>> > >> >>> Hi > >> >>> > >> >>> Thanks for the quick reply. > >> >>> > >> >>> > >> >>> > >> >>> I want to get informed as soon as the registry modification has > done. > >> >>> > >> >>> > >> >>> > >> >>> Can I get these notification by applying your modification ? > >> >>> > >> >>> > >> >>> > >> >>> How can I do this in OSSIM ? > >> >>> > >> >>> What correlation directive should I use ? > >> >>> > >> >>> > >> >>> > >> >>> Thank you so mcuh > >> >>> > >> >>> On Wednesday, May 1, 2013 9:03:14 PM UTC+5:30, lostinthetubez > wrote: > >> >>> > >> >>> The last OSSEC release made all registry changes drop below the > >> >>> default > >> >>> email threshold, even useful ones like this. Add something to > >> >>> local_rules.xml to selectively elevate the Level, like this: > >> >>> > >> >>> > >> >>> > >> >>> <rule id="110000" level="10"> > >> >>> > >> >>> <if_sid>594</if_sid> > >> >>> > >> >>> > <match>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</match> > >> >>> > >> >>> <description>A change has been made to the software that > >> >>> automatically runs at startup.</description> > >> >>> > >> >>> </rule> > >> >>> > >> >>> > >> >>> > >> >>> From: [email protected] [mailto:[email protected]] > On > >> >>> Behalf Of Ruwan Geeganage > >> >>> Sent: Wednesday, May 01, 2013 8:05 AM > >> >>> To: [email protected] > >> >>> Subject: [ossec-list] OSSEC windows agent - Registry modification > >> >>> alerts > >> >>> > >> >>> > >> >>> > >> >>> have installed OSSEC agent in my windows PC. > >> >>> > >> >>> I want to get alerts when any program or person add new entries to > >> >>> following registry entry > >> >>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run > >> >>> > >> >>> I check the ossec.conf in windows agent. It has the particular > entry. > >> >>> But > >> >>> Im not getting any real time alerts. > >> >>> > >> >>> Please help > >> >>> > >> >>> -- > >> >>> > >> >>> --- > >> >>> You received this message because you are subscribed to the Google > >> >>> Groups > >> >>> "ossec-list" group. > >> >>> To unsubscribe from this group and stop receiving emails from it, > send > >> >>> an > >> >>> email to [email protected]. > >> >>> For more options, visit https://groups.google.com/groups/opt_out. > >> >>> > >> >>> > >> >>> > >> >>> -- > >> >>> > >> >>> --- > >> >>> You received this message because you are subscribed to the Google > >> >>> Groups > >> >>> "ossec-list" group. > >> >>> To unsubscribe from this group and stop receiving emails from it, > send > >> >>> an > >> >>> email to [email protected]. > >> >>> For more options, visit https://groups.google.com/groups/opt_out. > >> >>> > >> >>> > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
