Still see this issue as of this date for various registry exclusions using the OS = Windows option in agent.conf from ossec server.
On Monday, January 6, 2014 at 2:53:51 PM UTC-6, BP9906 wrote: > > I've tried many variations and it doesnt seem to help. I did notice that > with windows debug = 2, I dont see anything about the windows agent being > aware of the registry ignores. I'm not sure if the issue is the reading of > the agent.conf or just not processing the regex against the syscheck > results. When the entry is in ossec.conf, it works fine. My agent.conf file > is pretty big where I have different ossec_agent stanzas for different > hostnames. Could it be that windows agents dont fully parse the whole > agent.conf file? > > Any other suggestions? > > On Thursday, November 7, 2013 3:45:18 PM UTC-6, BP9906 wrote: >> >> So apparently having it like this in ossec.conf worked. I remember trying >> it before on agent.conf, so I'm going to try it again to see if it works >> there, and remove it from ossec.conf. >> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVEX15</registry_ignore> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVENG</registry_ignore> >> >> >> On Thursday, November 7, 2013 6:54:49 AM UTC-8, dan (ddpbsd) wrote: >>> >>> On Thu, Nov 7, 2013 at 12:59 AM, BP9906 <[email protected]> wrote: >>> > I take it all back. Sorry. >>> > I didnt wait for a definition update. I ran another syscheck on the >>> same box >>> > as earlier and it showed up again. :( >>> > >>> > <registry_ignore >>> > >>> type="sregex">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVEX15</registry_ignore> >>> >>> >>> > <registry_ignore >>> > >>> type="sregex">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVENG</registry_ignore> >>> >>> >>> > >>> > 2013 Nov 06 21:21:53,4 - >>> > HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVENG >>> > 2013 Nov 06 21:21:53,4 - >>> > HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVEX15 >>> > >>> > What do you suggest now? >>> > >>> >>> Since you're not using any simple regex, try those entries without the >>> type being specified. >>> Other than that, I imagine tracking down the issue in the code is your >>> best bet. I don't have any Windows systems to test with, and I've >>> never gotten the Windows compilation to work. >>> Oh, and you can open a ticket in the bitbucket >>> https://bitbucket.org/jbcheng/ossec-hids >>> >>> > On Wednesday, November 6, 2013 4:47:59 PM UTC-8, BP9906 wrote: >>> >> >>> >> It appears a copy paste into ossec.conf on the local agent is >>> successful. >>> >> I cannot get any feedback from those regkeys using >>> ./bin/syscheck_control -r >>> >> -i <id> >>> >> So what do I do now? >>> >> >>> >> On Tuesday, November 5, 2013 8:32:40 AM UTC-8, dan (ddpbsd) wrote: >>> >>> >>> >>> On Mon, Nov 4, 2013 at 4:31 PM, BP9906 <[email protected]> wrote: >>> >>> > I'm trying to exclude Symantec registry keys from being checked >>> because >>> >>> > they >>> >>> > change with every definition change. >>> >>> > >>> >>> > Any idea why this isnt working? I tried with and without sregex >>> and >>> >>> > using >>> >>> > the carrot "^" in front and nothing seems to take. >>> >>> > I'm not using profiles, I just have a blanket <agent_config >>> >>> > os="Windows"> >>> >>> > >>> >>> >>> >>> Does it work if you put it in the ossec.conf? >>> >>> >>> >>> > Thank you for your help and/or suggestions to try. >>> >>> > >>> >>> > <registry_ignore >>> >>> > >>> >>> > >>> type="sregex">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IDSxpx86</registry_ignore> >>> >>> >>> >>> > <registry_ignore >>> >>> > >>> >>> > >>> type="sregex">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BHDrvx64</registry_ignore> >>> >>> >>> >>> > <registry_ignore >>> >>> > >>> >>> > >>> type="sregex">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BHDrvx86</registry_ignore> >>> >>> >>> >>> > <registry_ignore >>> >>> > >>> >>> > >>> type="sregex">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVEX15</registry_ignore> >>> >>> >>> >>> > <registry_ignore >>> >>> > >>> >>> > >>> type="sregex">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVENG</registry_ignore> >>> >>> >>> >>> > <registry_ignore >>> >>> > >>> >>> > >>> type="sregex">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IDSVia64</registry_ignore> >>> >>> >>> >>> > <registry_ignore >>> >>> > >>> >>> > >>> type="sregex">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ccSettings_</registry_ignore> >>> >>> >>> >>> > >>> >>> > >>> >>> > -- >>> >>> > >>> >>> > --- >>> >>> > You received this message because you are subscribed to the Google >>> >>> > Groups >>> >>> > "ossec-list" group. >>> >>> > To unsubscribe from this group and stop receiving emails from it, >>> send >>> >>> > an >>> >>> > email to [email protected]. >>> >>> > For more options, visit https://groups.google.com/groups/opt_out. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/groups/opt_out. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
