Hello fellow googlers,
The GOAL: For every user on my windows OSSEC agent, generate OSSEC alert severity 10 when new file added to C:\Users/*/%AppData%/Local/Temp directory Where star was supposed to be the wildcard place holder to instruct OSSEC to mean ANY user The Attempt & RESULTS: In an effort to get OSSEC to generate an alert upon new file created in %AppData% I have conducted the following steps. http://ossec-docs.readthedocs.io/en/latest/faq/syscheck.html#why-aren-t-new-files-creating-an-alert Why aren’t new files creating an alert? <http://ossec-docs.readthedocs.io/en/latest/faq/syscheck.html#id8> By default OSSEC does not alert on new files. To enable this functionality, <alert_new_files> must be set to yes inside the <syscheck> section of the manager’s ossec.conf. Also, the rule to alert on new files (rule 554) is set to level 0 by default. The alert level will need to be raised in order to see the alert. Alerting on new files does not work in realtime, a full scan will be necessary to detect them. Add the following to local_rules.xml: *<rule* id="554" level="10" overwrite="yes"*>* *<category>*ossec*</category>* *<decoded_as>*syscheck_new_entry*</decoded_as>* *<description>*File added to the system.*</description>* *<group>*syscheck,*</group>* *</rule>* The <alert_new_files> entry should look something like this: *<syscheck>* *<frequency>*7200*</frequency>* *<alert_new_files>*yes*</alert_new_files>* *<directories* check_all="yes"*>*/etc,/bin,/sbin*</directories>* *</syscheck>* In my OSSEC environment, I have a CENTos (current build) host for my OSSEC manager. I also have windows OS host for my OSSEC agent (agent id=001). To test the agent.conf setup of OSSEC I have on the OSSEC Manger host two configuration files, both the original ossec.conf file located @ directory var/ossec/etc/ as well as the agent.conf file located @ directory var/ossec/etc/shared. I have made the <alert_new_files> entry in both these configuration files. As well as add rule id 554 to local_rules.xml as depicted above from OSSEC documentation. To confirm settings are correct I ran logtest without error. Additionally, I preformed the following self-checks: - Confirmed level=”10” for rule id 554 in local_rules.xml AND - On OSSEC Manager inside the ossec.conf file that setting for alert threshold was set to alert on level>=1 - Md5sum on Manager = on Agent copy of agent.conf - Reduced frequency to 60 for troubleshooting/testing create new file feature. - create new file in directory %AppData% ‘test.txt’ - No immediate result, additionally let sit and wait for 24hrs to ensure syscheck could run multiple times. - Result new file ‘test.txt’ was not alerted on. To arrive at this conclusion, I inspected the following results: - nano /var/ossec/logs/alerts/alerts.log - I can see .nix directories are firing for rule id 554. However, no %AppData% windows file creation detected. - /var/ossec/bin/agent_control -i 001 - /var/ossec/bin/agent_control -r -u 001 - /var/ossec/bin/syscheck_control -u 001 - OUTPUT - ** Integrity check database updated. - /var/ossec/bin/syscheck_control -i 001 - OUTPUT - Integrity changes for agent 'WinBox (001) - 192.168.0.2': - ** No entries found. - ls /var/ossec/queue/diff - No entries for Windows agent - nano /var/ossec/logs/alerts/alerts.log - I am able to see entries for rule id 554 on .nix localhost /tmp test efforts for 554. Other windows content is present such as authentication logs and registry edits. Additionally,I can get C:\Temp new file creation to detect but not any new file alerts for the %AppData%. - ls /var/ossec/queue/syscheck/ - I can see the text files I was testing with from C:\Temp but no %AppData% content. >From the above I gather that my test new file creations are being detected and alerted on my localhost. However, the syntax or other issue appears to be causing problems such that the %AppData% directory is not being properly monitored by syscheck as was the case for the C:\Temp directory for example. I am hoping for some guidance on how I go about testing the alert on new file creation for windows OS %AppData% directory. Such as how to confirm windows agent is detecting the new file created, and that the Master OSSEC is receiving this event from the windows agent correctly, then Master OSSEC is alerting on new file detection by rule 554 properly. The other threads discussing %AppData% indicate attention to syntax for adding directory entry into the ossec.conf file is important step but do not provide guidance into the proper syntax for such cases like wildcard use. Please let me know if any additional details are required to assist with my request. Any help or guidance is much appreciated. Cheers, Henry -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
