OSSEC-- File integrity check??

125 views
Skip to first unread message

Robert5156

unread,
Aug 1, 2007, 5:11:09โ€ฏPM8/1/07
to ossec-list
I installed server on fedora and an agent on windows XP sp2 system.
Everything is working fine except when i test the file integrity
checking, it is not reporting any new files created.
It is reporting any content changes of existing files ,but not new
files. Can any one look at the config files and let me know what is
wrong.


Below is the ossec.conf file on the server and ossec.conf file
contents of XP client agent.
______________________________Linux Server ossec.conf
file___________________
<ossec_config>
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>EMAIL</email_to>
<smtp_server>SERVER NAME</smtp_server>
<email_from>ossecm@SERVERNAME</email_from>
<integrity_checking>6</integrity_checking>
</global>

<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>web_rules.xml</include>
<include>apache_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>attack_rules.xml</include>
<include>zeus_rules.xml</include>
<include>ossec_rules.xml</include>
<include>local_rules.xml</include>
</rules>

<syscheck>
<!-- Frequency that syscheck is executed - default to every 6
hours -->
<frequency>600</frequency>

<!-- Directories to check (perform all possible verifications) --
>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<directories check_all="yes">C:\WINDOWS</directories>
<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>

<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>

<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>

<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</
rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</
rootkit_trojans>
</rootcheck>

<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
________________________--END _________________________________

Below is the XP-client agent's ossec.conf file contents.

__________________________________XP_client config____________________
<ossec_config>
<client>
<!-- IP address of the Ossec HIDS server -->
<server-ip>serverIP</server-ip>
</client>

<!-- Updated syscheck config -->
<ossec_config>
<syscheck>
<frequency>600</frequency>
<alert_new_files>yes</alert_new_files>
<directories check_all="yes">C:\WINDOWS</directories>
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/SchedLgU.Txt</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/LastGood.Tmp</ignore>
<ignore>C:\WINDOWS/LastGood</ignore>
<ignore>C:\WINDOWS/Help</ignore>
<ignore>C:\WINDOWS/Fonts</ignore>
<ignore>C:\WINDOWS/PCHEALTH</ignore>
<ignore>C:\WINDOWS/system32/dllcache</ignore>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$</ignore>
</syscheck>
</ossec_config>
_______________________END_______END_______

Any help is appreciated.

Robert5156

unread,
Aug 2, 2007, 6:50:53โ€ฏPM8/2/07
to ossec-list
I browsed the osses-list but i have not found the answer to my problem
yet.
Any help is appreciated.

Daniel Cid

unread,
Aug 2, 2007, 10:08:45โ€ฏPM8/2/07
to ossec...@googlegroups.com
Hi Robert,

Did you restart the server after adding the
"<alert_new_files>yes</alert_new_files>"
entry? Also, take a look at this post that explains a bit more about
the alert_new_files
option:

http://www.ossec.net/ossec-list/2007-May/msg00005.html

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

Robert5156

unread,
Aug 3, 2007, 11:30:48โ€ฏAM8/3/07
to ossec-list
Daniel,
Thank you for responding and for the OSSEC software. I am new to OSSEC
and i am trying to learn this software to replace our existing
tripwire.
I did restart the server and xp client agents and also rebooted both
the systems.
I increased the frequency from 600 to 7200sec which is enough time to
scan windows directory.Still no luck.I am running ver 1.2
Below are my updated ossec.conf files of server and xp client.The
ossec.log file says that it is monitoring the windows directory.But
ossec is only reporting files which i modified the content for.It is
still not reporting new files added.Help.
My config files are the default files with the addition of these 2
lines of code

<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>

Is there anything wrong with the above code or the loction i declared
them or the sequence to use inside the ossec.conf file.

_____XP CLIENT OSSEC.CONF FILE______________________________

<!-- Agent Example Configuration -->

<!-- First, change the server-ip to the IP of your OSSEC HIDS server.
-->

<!-- Second, add any extra file that you may want to monitor. -->


<ossec_config>
<client>
<!-- IP address of the Ossec HIDS server -->

<server-ip>SERVER IP</server-ip>
</client>

<!-- One entry for each file to monitor -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>

<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>

<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
</ossec_config>

<!-- Updated syscheck config -->

<ossec_config>

<syscheck>

<frequency>7200</frequency>
<alert_new_files>yes</alert_new_files>
<directories check_all="yes">C:\windows</directories>

<ignore>C:\WINDOWS/System32/LogFiles</ignore>

<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>

<ignore>C:\WINDOWS/Prefetch</ignore>

<ignore>C:\WINDOWS/Debug</ignore>

<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>

<ignore>C:\WINDOWS/SoftwareDistribution</ignore>

<ignore>C:\WINDOWS/Temp</ignore>

<ignore>C:\WINDOWS/SchedLgU.Txt</ignore>

<ignore>C:\WINDOWS/system32/config</ignore>

<ignore>C:\WINDOWS/system32/CatRoot</ignore>

<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>

<ignore>C:\WINDOWS/LastGood.Tmp</ignore>

<ignore>C:\WINDOWS/LastGood</ignore>

<ignore>C:\WINDOWS/Help</ignore>

<ignore>C:\WINDOWS/Fonts</ignore>

<ignore>C:\WINDOWS/PCHEALTH</ignore>

<ignore>C:\WINDOWS/system32/dllcache</ignore>

<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$</ignore>

</syscheck>

</ossec_config>

<!-- Syscheck registry config -->

<ossec_config>

<syscheck>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes</
windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft</
windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</
windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>

</syscheck>

</ossec_config>

<!-- Syscheck registry ignored entries (too big or change too often) --
>

<ossec_config>

<syscheck>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Installer\UserData</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Group Policy\State</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\WindowsUpdate</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Internet Settings\Cache</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography
\RNG</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth
\PchSvc</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Dfrg</
registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM</
registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc</
registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\DirectDraw</
registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Direct3D</
registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\COM3</
registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\ProfileList</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Prefetcher</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Interface</
registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\TypeLib</
registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\MIME</
registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Software</
registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\CLSID</
registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</
registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account
\Users</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\DeviceClasses</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Watchdog</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\MediaCategories</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Windows</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\hivelist</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\ServiceCurrent</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Print</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Session Manager</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\Eventlog</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\RemoteAccess\Performance</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\W32Time\TimeProviders\NtpClient</registry_ignore>

<registry_ignore type="sregex">\Enum$</registry_ignore>

</syscheck>

</ossec_config>

_______________END OF CLIENT CONFIG FILE_____________

_________________Contents of Server ossec.conf
file______________________

<ossec_config>
<global>
<email_notification>yes</email_notification>

<email_to>email address</email_to>
<smtp_server>server name</smtp_server>
<email_from>ossecm@servername</email_from>
</global>

<frequency>7200</frequency>

<!-- Directories to check (perform all possible verifications) --
>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>

<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
</global>

<remote>
<connection>secure</connection>
</remote>

<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>

<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>

<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>

<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>

<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>


<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>

<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>

<!-- Files to monitor (localfiles) -->

<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>

<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/error_log</location>
</localfile>

<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/access_log</location>
</localfile>

<localfile>
<log_format>apache</log_format>
<location>/etc/httpd/logs/access_log</location>
</localfile>

<localfile>
<log_format>apache</log_format>
<location>/etc/httpd/logs/error_log</location>
</localfile>
</ossec_config>
________________end of server ossec.conf file____________________


Would appreciate your help.
Thank you
Robert

On Aug 2, 8:08 pm, "Daniel Cid" <daniel....@gmail.com> wrote:
> Hi Robert,
>
> Did you restart the server after adding the
> "<alert_new_files>yes</alert_new_files>"
> entry? Also, take a look at this post that explains a bit more about
> the alert_new_files
> option:
>
> http://www.ossec.net/ossec-list/2007-May/msg00005.html
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>

Robert5156

unread,
Aug 6, 2007, 3:59:14โ€ฏPM8/6/07
to ossec-list
Can anybody please respond with a working config which is reporting
new files?

I tried everyting in can.I am lost.Help Help please.

> ...
>
> read more ยป

Reply all
Reply to author
Forward
0 new messages