If you want an OSSEC fork with this built-in, I believe Wazuh has this, as well as integration with VirusTotal.
https://documentation.wazuh.com/current/user-manual/capabilities/osquery.html?highlight=osquery Thanks, Pat From: <[email protected]> on behalf of "[email protected]" <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Thursday, February 28, 2019 at 10:23 AM To: ossec-list <[email protected]> Subject: [ossec-list] Re: How to Get System Information using Agent in Ossec? *** This email is from an EXTERNAL sender. You should not click links, open attachments or respond unless you recognize the sender. *** Actually, there is a solution for this, but it is a separate package that has to be installed and configured. It is called OSQUERY and can be found here: https://osquery.io/<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fosquery.io%2f&c=E,1,JRZ4iwr7nTKxAfVW2C9BEn8GJAwnxCMN0dHb6QOCRbC_T-yIk0BiHD9YfxoLnECpYQYQHHpVeI68QHbrMJ0kRTlXz6Is2ZPU_fehlLS3WSSXZSIzkA,,&typo=1> OSQUERY is open source under the Apache license. Like OSSEC, it runs on almost every platform. It can provide a HUGE amount of information about the client system. It was developed by Facebook as an asset management subsystem and uses its own structured query language for pulling data from clients. There are several third-party modules that have been developed for it as well, including an installer and auto-updater (Kolide launcher). The Kolide tool for auto-updating might be a good model for building a tool to auto-update OSSEC someday too. We have been looking at integrating OSQUERY with OSSEC for a while. The easiest way to do this would be to build a separate encrypted communication channel between the OSSEC server and OSQUERY. I will submit a pull request if we work all the details out for full integration. We are working on a PCI DSS compliant port monitoring tool for OSSEC right now that we will submit on a separate pull request when it is done. If anyone is interested, I will be at the OSSEC conference on Mach 20th. Best, Dave Stoddard Network Alarm Corporation -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgroups.google.com%2fd%2foptout&c=E,1,RiTVgKdQ9yoN1rSzZxDiOwlh2k2DF5OjoGofAsU0kXywQMRXRVZEg3ipjgZek5eZcs0YvlmfEU3wbm0d5RLX5PNqGAOQ3vStc9pHlWE8EZtrZ0lEc8NgRw,,&typo=1>. This message and its contents (including any accompanying documents) are confidential and authorized solely for the intended addressee(s). If you have erroneously received this message, please immediately and permanently delete all instances and notify the sender. Also, if you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on this message or its contents is strictly prohibited. The company is not responsible for any loss or damage caused by a virus or for any errors or omissions in the contents of this message -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
