I've tried many variations and it doesnt seem to help. I did notice that with windows debug = 2, I dont see anything about the windows agent being aware of the registry ignores. I'm not sure if the issue is the reading of the agent.conf or just not processing the regex against the syscheck results. When the entry is in ossec.conf, it works fine. My agent.conf file is pretty big where I have different ossec_agent stanzas for different hostnames. Could it be that windows agents dont fully parse the whole agent.conf file?
Any other suggestions? On Thursday, November 7, 2013 3:45:18 PM UTC-6, BP9906 wrote: > > So apparently having it like this in ossec.conf worked. I remember trying > it before on agent.conf, so I'm going to try it again to see if it works > there, and remove it from ossec.conf. > > > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVEX15</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVENG</registry_ignore> > > > On Thursday, November 7, 2013 6:54:49 AM UTC-8, dan (ddpbsd) wrote: >> >> On Thu, Nov 7, 2013 at 12:59 AM, BP9906 <[email protected]> wrote: >> > I take it all back. Sorry. >> > I didnt wait for a definition update. I ran another syscheck on the >> same box >> > as earlier and it showed up again. :( >> > >> > <registry_ignore >> > >> type="sregex">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVEX15</registry_ignore> >> >> >> > <registry_ignore >> > >> type="sregex">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVENG</registry_ignore> >> >> >> > >> > 2013 Nov 06 21:21:53,4 - >> > HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVENG >> > 2013 Nov 06 21:21:53,4 - >> > HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVEX15 >> > >> > What do you suggest now? >> > >> >> Since you're not using any simple regex, try those entries without the >> type being specified. >> Other than that, I imagine tracking down the issue in the code is your >> best bet. I don't have any Windows systems to test with, and I've >> never gotten the Windows compilation to work. >> Oh, and you can open a ticket in the bitbucket >> https://bitbucket.org/jbcheng/ossec-hids >> >> > On Wednesday, November 6, 2013 4:47:59 PM UTC-8, BP9906 wrote: >> >> >> >> It appears a copy paste into ossec.conf on the local agent is >> successful. >> >> I cannot get any feedback from those regkeys using >> ./bin/syscheck_control -r >> >> -i <id> >> >> So what do I do now? >> >> >> >> On Tuesday, November 5, 2013 8:32:40 AM UTC-8, dan (ddpbsd) wrote: >> >>> >> >>> On Mon, Nov 4, 2013 at 4:31 PM, BP9906 <[email protected]> wrote: >> >>> > I'm trying to exclude Symantec registry keys from being checked >> because >> >>> > they >> >>> > change with every definition change. >> >>> > >> >>> > Any idea why this isnt working? I tried with and without sregex and >> >>> > using >> >>> > the carrot "^" in front and nothing seems to take. >> >>> > I'm not using profiles, I just have a blanket <agent_config >> >>> > os="Windows"> >> >>> > >> >>> >> >>> Does it work if you put it in the ossec.conf? >> >>> >> >>> > Thank you for your help and/or suggestions to try. >> >>> > >> >>> > <registry_ignore >> >>> > >> >>> > >> type="sregex">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IDSxpx86</registry_ignore> >> >> >> >>> > <registry_ignore >> >>> > >> >>> > >> type="sregex">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BHDrvx64</registry_ignore> >> >> >> >>> > <registry_ignore >> >>> > >> >>> > >> type="sregex">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BHDrvx86</registry_ignore> >> >> >> >>> > <registry_ignore >> >>> > >> >>> > >> type="sregex">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVEX15</registry_ignore> >> >> >> >>> > <registry_ignore >> >>> > >> >>> > >> type="sregex">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVENG</registry_ignore> >> >> >> >>> > <registry_ignore >> >>> > >> >>> > >> type="sregex">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IDSVia64</registry_ignore> >> >> >> >>> > <registry_ignore >> >>> > >> >>> > >> type="sregex">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ccSettings_</registry_ignore> >> >> >> >>> > >> >>> > >> >>> > -- >> >>> > >> >>> > --- >> >>> > You received this message because you are subscribed to the Google >> >>> > Groups >> >>> > "ossec-list" group. >> >>> > To unsubscribe from this group and stop receiving emails from it, >> send >> >>> > an >> >>> > email to [email protected]. >> >>> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
