Re: [ossec-list] Re: Testing Windows Registry Integrity (with links this time)
685 views
Skip to first unread message
dan (ddp)
Jan 24, 2013, 10:38:24 AM1/24/13
to ossec...@googlegroups.com
On Thu, Jan 24, 2013 at 8:36 AM, George Ehrhorn <ehr...@gmail.com> wrote:
> I now have
>
> -rw-r-----. 1 ossec ossec 1.9M Jan 24 04:13 (rosie) 192.168.56.55->syscheck
> -rw-r--r--. 1 ossec ossec 515K Jan 23 15:40 (rosie)
> 192.168.56.55->syscheck-registry
>
> Now when I run syscheck control again I get:
>
> ./syscheck_control -r -i 003
>
> Integrity changes for 'Windows Registry' of agent 'rosie (003) -
> 192.168.56.55':
>
> Changes for 2013 Jan 21:
> 2013 Jan 21 16:28:43,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cdrom\Parameters\Wdf
> 2013 Jan 21 16:28:43,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf
> 2013 Jan 21 16:28:46,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf
> 2013 Jan 21 16:28:46,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf
> 2013 Jan 21 16:28:46,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
> 2013 Jan 21 16:28:46,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf
> 2013 Jan 21 16:28:46,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf
> 2013 Jan 21 16:28:46,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mssmbios\Data
> 2013 Jan 21 16:28:47,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PEAUTH\Parameters\Wdf
> 2013 Jan 21 16:28:48,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch
> 2013 Jan 21 16:28:48,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2
> 2013 Jan 21 16:28:49,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52CBCC65-4924-4C76-8CAB-663395DADE0B}
> 2013 Jan 21 16:28:49,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf
> 2013 Jan 21 16:28:49,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf
> 2013 Jan 21 16:28:49,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap
> 2013 Jan 21 18:36:32,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52CBCC65-4924-4C76-8CAB-663395DADE0B}
> 2013 Jan 21 20:44:17,2 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52CBCC65-4924-4C76-8CAB-663395DADE0B}
> 2013 Jan 21 22:52:07,3 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52CBCC65-4924-4C76-8CAB-663395DADE0B}
>
> Changes for 2013 Jan 23:
> 2013 Jan 23 09:16:47,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cdrom\Parameters\Wdf
> 2013 Jan 23 09:16:47,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf
> 2013 Jan 23 09:16:49,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf
> 2013 Jan 23 09:16:49,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf
> 2013 Jan 23 09:16:50,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
> 2013 Jan 23 09:16:50,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf
> 2013 Jan 23 09:16:50,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf
> 2013 Jan 23 09:16:50,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mssmbios\Data
> 2013 Jan 23 09:16:50,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PEAUTH\Parameters\Wdf
> 2013 Jan 23 09:16:52,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch
> 2013 Jan 23 09:16:52,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2
> 2013 Jan 23 09:16:53,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf
> 2013 Jan 23 09:16:53,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf
> 2013 Jan 23 09:16:53,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap
> 2013 Jan 23 13:32:22,2 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap
>
> This is encouraging. However, it's not picking up on the changes I've made
> to the Run or RunOnce keys. In /var/ossec/queue/syscheck I can look at
>
> +++0:0:0:0:80640fadf76929bd834b1db57d81b3da:38a54bd36626485510f2c69212497bc371aaccf0
> !1358973626 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> +++0:0:0:0:378cac70f45abb5b68ee3ec8fe61ce05:48d95e62dcb381b85cb580b967a1dea4b474fd29
> !1358973631
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Test
>
> Both of those epoch values correspond to yesterday afternoon. This is when I
> changed them, but I'm not getting an alert listed when I run
> syscheck_control -r -i 003
>
Were they already in the db when you made the changes? I don't use the
windows agent, so I can't test it or anything, but I don't think new
entries will trigger alerts.
> Thanks,
> George
>
> On Wednesday, January 23, 2013 10:20:37 PM UTC-5, Jb Cheng wrote:
>>
>> The file under queue/syscheck has size 0. This is not normal.
>> -rw-r--r--. 1 ossec ossec 0 Jan 21 13:26 (rosie)
>> 192.168.56.55->syscheck-registry
>>
>> A typical Windows agent with syscheck enabled should have many entries in
>> this file.
>> What is the size of another syscheck file: (rosie) 192.168.56.55->syscheck
>> ?
>>
>>
>> On Monday, January 21, 2013 11:49:07 AM UTC-8, George Ehrhorn wrote:
>>>
>>> Testing OSSEC 2.7 on Win2k8. I have file integrity checking working. I'm
>>> working on testing changes to registry keys. In my ossec.conf
>>> (http://pastebin.com/NR8UKt6B) I have:
>>>
>>>
>>> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
>>>
>>> When Ossec runs I see:
>>>
>>> 2013/01/21 14:00:42 ossec-agent: INFO: Monitoring registry entry:
>>> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'.
>>>
>>> My workflow to test it is:
>>>
>>> Start OSSEC agent, let it send all data to the server
>>> I've made two changes to this key: added a dword to that path and adding
>>> a subkey (http://imgur.com/K1yR95c).
>>> Restart OSSEC agent from manage agent, let it send all data to the
>>> server.
>>>
>>> In the server I see:
>>>
>>> [root@skinner /var/ossec/bin]
>>> 158# ./syscheck_control -r -i 003
>>>
>>> Integrity changes for 'Windows Registry' of agent 'rosie (003) -
>>> 192.168.56.55':
>>>
>>> ** No entries found.
>>>
>>> My syscheck-registry file in /var/ossec/queue/syscheck for the "rosie"
>>> agent shows:
>>>
>>> -rw-r--r--. 1 ossec ossec 0 Jan 21 13:26 (rosie)
>>> 192.168.56.55->syscheck-registry
>>>
>>> So there are no entries.
>>>
>>> Should the changes I made be recognized as changes by OSSEC? If yes,
>>> where should I look next for what may be going wrong.
>>>
>>> Thanks,
>>> George
>>>
>>> (Sorry for the repeat messages. I can't make a post with files attached).
>
> --
>
>
>
> I now have
>
> -rw-r-----. 1 ossec ossec 1.9M Jan 24 04:13 (rosie) 192.168.56.55->syscheck
> -rw-r--r--. 1 ossec ossec 515K Jan 23 15:40 (rosie)
> 192.168.56.55->syscheck-registry
>
> Now when I run syscheck control again I get:
>
> ./syscheck_control -r -i 003
>
> Integrity changes for 'Windows Registry' of agent 'rosie (003) -
> 192.168.56.55':
>
> Changes for 2013 Jan 21:
> 2013 Jan 21 16:28:43,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cdrom\Parameters\Wdf
> 2013 Jan 21 16:28:43,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf
> 2013 Jan 21 16:28:46,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf
> 2013 Jan 21 16:28:46,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf
> 2013 Jan 21 16:28:46,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
> 2013 Jan 21 16:28:46,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf
> 2013 Jan 21 16:28:46,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf
> 2013 Jan 21 16:28:46,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mssmbios\Data
> 2013 Jan 21 16:28:47,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PEAUTH\Parameters\Wdf
> 2013 Jan 21 16:28:48,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch
> 2013 Jan 21 16:28:48,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2
> 2013 Jan 21 16:28:49,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52CBCC65-4924-4C76-8CAB-663395DADE0B}
> 2013 Jan 21 16:28:49,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf
> 2013 Jan 21 16:28:49,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf
> 2013 Jan 21 16:28:49,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap
> 2013 Jan 21 18:36:32,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52CBCC65-4924-4C76-8CAB-663395DADE0B}
> 2013 Jan 21 20:44:17,2 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52CBCC65-4924-4C76-8CAB-663395DADE0B}
> 2013 Jan 21 22:52:07,3 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52CBCC65-4924-4C76-8CAB-663395DADE0B}
>
> Changes for 2013 Jan 23:
> 2013 Jan 23 09:16:47,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cdrom\Parameters\Wdf
> 2013 Jan 23 09:16:47,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf
> 2013 Jan 23 09:16:49,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf
> 2013 Jan 23 09:16:49,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf
> 2013 Jan 23 09:16:50,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
> 2013 Jan 23 09:16:50,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf
> 2013 Jan 23 09:16:50,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf
> 2013 Jan 23 09:16:50,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mssmbios\Data
> 2013 Jan 23 09:16:50,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PEAUTH\Parameters\Wdf
> 2013 Jan 23 09:16:52,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch
> 2013 Jan 23 09:16:52,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2
> 2013 Jan 23 09:16:53,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf
> 2013 Jan 23 09:16:53,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf
> 2013 Jan 23 09:16:53,0 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap
> 2013 Jan 23 13:32:22,2 -
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap
>
> This is encouraging. However, it's not picking up on the changes I've made
> to the Run or RunOnce keys. In /var/ossec/queue/syscheck I can look at
>
> +++0:0:0:0:80640fadf76929bd834b1db57d81b3da:38a54bd36626485510f2c69212497bc371aaccf0
> !1358973626 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> +++0:0:0:0:378cac70f45abb5b68ee3ec8fe61ce05:48d95e62dcb381b85cb580b967a1dea4b474fd29
> !1358973631
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Test
>
> Both of those epoch values correspond to yesterday afternoon. This is when I
> changed them, but I'm not getting an alert listed when I run
> syscheck_control -r -i 003
>
Were they already in the db when you made the changes? I don't use the
windows agent, so I can't test it or anything, but I don't think new
entries will trigger alerts.
> Thanks,
> George
>
> On Wednesday, January 23, 2013 10:20:37 PM UTC-5, Jb Cheng wrote:
>>
>> The file under queue/syscheck has size 0. This is not normal.
>> -rw-r--r--. 1 ossec ossec 0 Jan 21 13:26 (rosie)
>> 192.168.56.55->syscheck-registry
>>
>> A typical Windows agent with syscheck enabled should have many entries in
>> this file.
>> What is the size of another syscheck file: (rosie) 192.168.56.55->syscheck
>> ?
>>
>>
>> On Monday, January 21, 2013 11:49:07 AM UTC-8, George Ehrhorn wrote:
>>>
>>> Testing OSSEC 2.7 on Win2k8. I have file integrity checking working. I'm
>>> working on testing changes to registry keys. In my ossec.conf
>>> (http://pastebin.com/NR8UKt6B) I have:
>>>
>>>
>>> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
>>>
>>> When Ossec runs I see:
>>>
>>> 2013/01/21 14:00:42 ossec-agent: INFO: Monitoring registry entry:
>>> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'.
>>>
>>> My workflow to test it is:
>>>
>>> Start OSSEC agent, let it send all data to the server
>>> I've made two changes to this key: added a dword to that path and adding
>>> a subkey (http://imgur.com/K1yR95c).
>>> Restart OSSEC agent from manage agent, let it send all data to the
>>> server.
>>>
>>> In the server I see:
>>>
>>> [root@skinner /var/ossec/bin]
>>> 158# ./syscheck_control -r -i 003
>>>
>>> Integrity changes for 'Windows Registry' of agent 'rosie (003) -
>>> 192.168.56.55':
>>>
>>> ** No entries found.
>>>
>>> My syscheck-registry file in /var/ossec/queue/syscheck for the "rosie"
>>> agent shows:
>>>
>>> -rw-r--r--. 1 ossec ossec 0 Jan 21 13:26 (rosie)
>>> 192.168.56.55->syscheck-registry
>>>
>>> So there are no entries.
>>>
>>> Should the changes I made be recognized as changes by OSSEC? If yes,
>>> where should I look next for what may be going wrong.
>>>
>>> Thanks,
>>> George
>>>
>>> (Sorry for the repeat messages. I can't make a post with files attached).
>
> --
>
>
>
Reply all
Reply to author
Forward
0 new messages