Thanks. 
As I read in the ossec doc, realtime option is only for directories.
But I'll check it. :)




On Thursday, May 2, 2013 9:21:42 PM UTC+5:30, dan (ddpbsd) wrote:
>
> On Thu, May 2, 2013 at 11:39 AM, Ruwan Geeganage 
> <[email protected]<javascript:>> 
> wrote: 
> > I'm not sure whether it works real time. 
> > I also want to know that. 
> > and I also want to configure if its possible. 
>
> Add the realtime option to your windows_registry setting. See if it 
> works. Report back. 
>
> > Because for my work, registry modification alerts are critical 
> > 
> > On Thursday, May 2, 2013 7:34:09 PM UTC+5:30, dan (ddpbsd) wrote: 
> >> 
> >> On Thu, May 2, 2013 at 10:01 AM, Ruwan Geeganage <[email protected]> 
> >> wrote: 
> >> > I have added the following rule to /var/ossec/rules. 
> >> > 
> >> >     <rule id="150000" level="9"> 
> >> >     <category>ossec</category> 
> >> >      <match>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</match> 
> >> >     <decoded_as>syscheck_integrity_changed</decoded_as> 
> >> >     <description>Registry Modified</description> 
> >> >     <group>syscheck,</group> 
> >> >   </rule> 
> >> > and i restart the ossec server by /etc/init.d/ossec restart 
> >> > 
> >> > 
> >> > But I'm not getting real time alert (as soon as registry entry 
> modified) 
> >> > . 
> >> > Please help.. 
> >> > 
> >> 
> >> Are you sure registry checks work in real time? How do you have it 
> >> configured? 
> >> 
> >> > 
> >> > On Thursday, May 2, 2013 9:06:52 AM UTC+5:30, Ruwan Geeganage wrote: 
> >> >> 
> >> >> Thanks I'll try those options. 
> >> >> 
> >> >> Thanks a lot.. 
> >> >> 
> >> >> On Thursday, May 2, 2013 5:45:31 AM UTC+5:30, lostinthetubez wrote: 
> >> >>> 
> >> >>> Look at the realtime option for syscheck: 
> >> >>> http://www.ossec.net/doc/manual/syscheck/ 
> >> >>> 
> >> >>> I also recommend turning auto_ignore off, so you will continue to 
> be 
> >> >>> notified after the 3rd change detection. Stick 
> >> >>> <auto_ignore>no</auto_ignore> 
> >> >>> into the syscheck portion of your ossec.conf. 
> >> >>> 
> >> >>> 
> >> >>> 
> >> >>> You might also wish to look at the do_not_delay email option: 
> >> >>> http://www.ossec.net/doc/syntax/head_ossec_config.email_alerts.html 
> >> >>> 
> >> >>> 
> >> >>> 
> >> >>> No idea about OSSIM. I don’t use it. 
> >> >>> 
> >> >>> 
> >> >>> 
> >> >>> From: [email protected] [mailto:[email protected]] 
> On 
> >> >>> Behalf Of Ruwan Geeganage 
> >> >>> Sent: Wednesday, May 01, 2013 9:33 AM 
> >> >>> To: [email protected] 
> >> >>> Subject: Re: [ossec-list] OSSEC windows agent - Registry 
> modification 
> >> >>> alerts 
> >> >>> 
> >> >>> 
> >> >>> 
> >> >>> Hi 
> >> >>> 
> >> >>> Thanks for the quick reply. 
> >> >>> 
> >> >>> 
> >> >>> 
> >> >>> I want to get informed as soon as the registry modification has 
> done. 
> >> >>> 
> >> >>> 
> >> >>> 
> >> >>> Can I get these notification by applying your modification ? 
> >> >>> 
> >> >>> 
> >> >>> 
> >> >>> How can I do this in OSSIM ? 
> >> >>> 
> >> >>> What correlation directive should I use ? 
> >> >>> 
> >> >>> 
> >> >>> 
> >> >>> Thank you so mcuh 
> >> >>> 
> >> >>> On Wednesday, May 1, 2013 9:03:14 PM UTC+5:30, lostinthetubez 
> wrote: 
> >> >>> 
> >> >>> The last OSSEC release made all registry changes drop below the 
> >> >>> default 
> >> >>> email threshold, even useful ones like this. Add something to 
> >> >>> local_rules.xml to selectively elevate the Level, like this: 
> >> >>> 
> >> >>> 
> >> >>> 
> >> >>> <rule id="110000" level="10"> 
> >> >>> 
> >> >>>         <if_sid>594</if_sid> 
> >> >>> 
> >> >>>         
> <match>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</match> 
> >> >>> 
> >> >>>         <description>A change has been made to the software that 
> >> >>> automatically runs at startup.</description> 
> >> >>> 
> >> >>> </rule> 
> >> >>> 
> >> >>> 
> >> >>> 
> >> >>> From: [email protected] [mailto:[email protected]] 
> On 
> >> >>> Behalf Of Ruwan Geeganage 
> >> >>> Sent: Wednesday, May 01, 2013 8:05 AM 
> >> >>> To: [email protected] 
> >> >>> Subject: [ossec-list] OSSEC windows agent - Registry modification 
> >> >>> alerts 
> >> >>> 
> >> >>> 
> >> >>> 
> >> >>>  have installed OSSEC agent in my windows PC. 
> >> >>> 
> >> >>> I want to get alerts when any program or person add new entries to 
> >> >>> following registry entry 
> >> >>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 
> >> >>> 
> >> >>> I check the ossec.conf in windows agent. It has the particular 
> entry. 
> >> >>> But 
> >> >>> Im not getting any real time alerts. 
> >> >>> 
> >> >>> Please help 
> >> >>> 
> >> >>> -- 
> >> >>> 
> >> >>> --- 
> >> >>> You received this message because you are subscribed to the Google 
> >> >>> Groups 
> >> >>> "ossec-list" group. 
> >> >>> To unsubscribe from this group and stop receiving emails from it, 
> send 
> >> >>> an 
> >> >>> email to [email protected]. 
> >> >>> For more options, visit https://groups.google.com/groups/opt_out. 
> >> >>> 
> >> >>> 
> >> >>> 
> >> >>> -- 
> >> >>> 
> >> >>> --- 
> >> >>> You received this message because you are subscribed to the Google 
> >> >>> Groups 
> >> >>> "ossec-list" group. 
> >> >>> To unsubscribe from this group and stop receiving emails from it, 
> send 
> >> >>> an 
> >> >>> email to [email protected]. 
> >> >>> For more options, visit https://groups.google.com/groups/opt_out. 
> >> >>> 
> >> >>> 
> >> > 
> >> > -- 
> >> > 
> >> > --- 
> >> > You received this message because you are subscribed to the Google 
> >> > Groups 
> >> > "ossec-list" group. 
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send 
> >> > an 
> >> > email to [email protected]. 
> >> > For more options, visit https://groups.google.com/groups/opt_out. 
> >> > 
> >> > 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to [email protected] <javascript:>. 
> > For more options, visit https://groups.google.com/groups/opt_out. 
> > 
> > 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.


Reply via email to