ossec 2.7.1 can not integrity-check windows for system32 directory

482 views

Skip to first unread message

Ash Windy

unread,

Apr 28, 2014, 6:43:59 PM4/28/14

to ossec...@googlegroups.com

I tried many times to syscheck for windows files change but it can't good work. it can monitor any directory except of c:\windows\system32.

test step:

1. use agent.conf to monitor c:\windows

2. enabled new files alert on ossec server

3. restart both. waiting long time. make sure syscheck-pre was end.

4. copy 1 file "client.key" to both directory c:\windows and c:\windows\system32 .

5. monitor logs

result.

1. on windows agent

2014/04/28 16:22:01 ossec-agent: DEBUG: Attempting to send message to server.

2014/04/28 16:22:01 ossec-agent: DEBUG: Sending message to server: '96:33206:0:0:ed037ff967353b1ac2d5157f991d7a8e:28002c9f9bf270064e014795bc5f8e465b14533f C:\WINDOWS/client.keys'

not c:\windows\system32\client.keys

2. on ossec server

# tail -f /var/ossec/queue/syscheck/$test-windows$\ 192.168.93.150-\>syscheck

+++96:33206:0:0:ed037ff967353b1ac2d5157f991d7a8e:28002c9f9bf270064e014795bc5f8e465b14533f !1398723721 C:\WINDOWS/client.keys

3. alert log

Alert 1398723721.1352222: mail - local,syslog,syscheck,\n2014 Apr 28 15:22:01 (test-windows) 192.168.93.150->syscheck\nRule: 554 (level 10) -> 'File added to the system.'\nNew file 'C:\\WINDOWS/client.keys' added to the file system.

same result there are not system32

just above one log.

everybody know why?

thanks!!

following is my configure

========

<agent_config os="Windows">

<location>Application</location>

<log_format>eventlog</log_format>

</localfile>

<location>Security</location>

<log_format>eventlog</log_format>

</localfile>

<location>System</location>

<log_format>eventlog</log_format>

</localfile>

<windows_audit>./shared/win_audit_rcl.txt</windows_audit>

<windows_apps>./shared/win_applications_rcl.txt</windows_apps>

<windows_malware>./shared/win_malware_rcl.txt</windows_malware>

</rootcheck>

<directories check_all="yes">C:\WINDOWS</directories>

<!–– Windows registry entries to monitor. ––>

<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Profi leList</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Prefetcher</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Interface</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\TypeLib</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\MIME</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Software</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\CLSID</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Watchdog</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaCategories</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\hivelist</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceCurrent</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Performance</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient</registry_ignore>

<registry_ignore type="sregex">\Enum$</registry_ignore>

</syscheck>

</agent_config>

===== server ossec.conf =========

# cat ../etc/ossec.conf

<ossec_config>

<email_notification>yes</email_notification>

<email_to>te...@test.com</email_to>

<smtp_server>127.0.0.1</smtp_server>

<email_from>oss...@test.com</email_from>

</global>

<rules>

<include>rules_config.xml</include>

<include>pam_rules.xml</include>

<include>sshd_rules.xml</include>

<include>telnetd_rules.xml</include>

<include>syslog_rules.xml</include>

<include>arpwatch_rules.xml</include>

<include>symantec-av_rules.xml</include>

<include>symantec-ws_rules.xml</include>

<include>pix_rules.xml</include>

<include>named_rules.xml</include>

<include>smbd_rules.xml</include>

<include>vsftpd_rules.xml</include>

<include>pure-ftpd_rules.xml</include>

<include>proftpd_rules.xml</include>

<include>ms_ftpd_rules.xml</include>

<include>ftpd_rules.xml</include>

<include>hordeimp_rules.xml</include>

<include>roundcube_rules.xml</include>

<include>wordpress_rules.xml</include>

<include>cimserver_rules.xml</include>

<include>vpopmail_rules.xml</include>

<include>vmpop3d_rules.xml</include>

<include>courier_rules.xml</include>

<include>web_rules.xml</include>

<include>web_appsec_rules.xml</include>

<include>apache_rules.xml</include>

<include>nginx_rules.xml</include>

<include>php_rules.xml</include>

<include>mysql_rules.xml</include>

<include>postgresql_rules.xml</include>

<include>ids_rules.xml</include>

<include>squid_rules.xml</include>

<include>firewall_rules.xml</include>

<include>cisco-ios_rules.xml</include>

<include>netscreenfw_rules.xml</include>

<include>sonicwall_rules.xml</include>

<include>postfix_rules.xml</include>

<include>sendmail_rules.xml</include>

<include>imapd_rules.xml</include>

<include>mailscanner_rules.xml</include>

<include>dovecot_rules.xml</include>

<include>ms-exchange_rules.xml</include>

<include>racoon_rules.xml</include>

<include>vpn_concentrator_rules.xml</include>

<include>spamd_rules.xml</include>

<include>msauth_rules.xml</include>

<include>mcafee_av_rules.xml</include>

<include>trend-osce_rules.xml</include>

<include>ms-se_rules.xml</include>

<include>zeus_rules.xml</include>

<include>solaris_bsm_rules.xml</include>

<include>vmware_rules.xml</include>

<include>ms_dhcp_rules.xml</include>

<include>asterisk_rules.xml</include>

<include>ossec_rules.xml</include>

<include>attack_rules.xml</include>

<include>openbsd_rules.xml</include>

<include>clam_av_rules.xml</include>

<include>bro-ids_rules.xml</include>

<include>dropbear_rules.xml</include>

<include>local_rules.xml</include>

</rules>

<alert_new_files>yes</alert_new_files>

<ignore>/etc/mnttab</ignore>

<ignore>/etc/hosts.deny</ignore>

<ignore>/etc/mail/statistics</ignore>

<ignore>/etc/random-seed</ignore>

<ignore>/etc/adjtime</ignore>

<ignore>/etc/httpd/logs</ignore>

<ignore>/etc/utmpx</ignore>

<ignore>/etc/wtmpx</ignore>

<ignore>/etc/cups/certs</ignore>

<ignore>/etc/dumpdates</ignore>

<ignore>/etc/svc/volatile</ignore>

</syscheck>

<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>

<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>

<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>

</rootcheck>

<white_list>127.0.0.1</white_list>

<white_list>^localhost.localdomain$</white_list>

<white_list>192.168.93.2</white_list>

</global>

<connection>secure</connection>

</remote>

<log_alert_level>1</log_alert_level>

<email_alert_level>7</email_alert_level>

</alerts>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>firewall-drop</name>

<executable>firewall-drop.sh</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>disable-account</name>

<executable>disable-account.sh</executable>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>restart-ossec</name>

<executable>restart-ossec.sh</executable>

</command>

<name>route-null</name>

<executable>route-null.sh</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<log_format>syslog</log_format>

<location>/var/log/messages</location>

</localfile>

<log_format>syslog</log_format>

<location>/var/log/secure</location>

</localfile>

<log_format>syslog</log_format>

<location>/var/log/maillog</location>

</localfile>

<log_format>apache</log_format>

<location>/var/log/httpd/error_log</location>

</localfile>

<log_format>apache</log_format>

<location>/var/log/httpd/access_log</location>

</localfile>

<log_format>command</log_format>

</localfile>

<log_format>full_command</log_format>

<command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>

</localfile>

<log_format>full_command</log_format>

</localfile>

</ossec_config>

dan (ddp)

unread,

May 5, 2014, 6:06:57 PM5/5/14

to ossec...@googlegroups.com

On Apr 28, 2014 6:44 PM, "Ash Windy" <windy1...@gmail.com> wrote:
>
> hi
> I tried many times to syscheck for windows files change but it can't good work. it can monitor any directory except of c:\windows\system32.
>
> test step:
> 1. use agent.conf to monitor c:\windows
> 2. enabled new files alert on ossec server
> 3. restart both. waiting long time. make sure syscheck-pre was end.
> 4. copy 1 file "client.key" to both directory c:\windows and c:\windows\system32 .
> 5. monitor logs
>

If it's in thr message I apologize, but what version of windows? Have you tried ossec 2.8?

Are there file auditing options in windows to track attempted access? If so you could turn that on and see if there is anymore available info on why this is failing.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Michael Starks

unread,

May 6, 2014, 10:12:56 AM5/6/14

to ossec...@googlegroups.com

On 2014-05-05 17:06, dan (ddp) wrote:

> Are there file auditing options in windows to track attempted access?
> If so you could turn that on and see if there is anymore available
> info on why this is failing.

Object auditing in Windows is horrendously chatty. I have seen it take
down a box when not implemented with a scalpel. I like to use Process
Monitor (formerly filemon and regmon) from Microsoft (formerly
sysinternals). Great tools.

Ash Windy

unread,

May 29, 2014, 6:27:50 PM5/29/14

to ossec...@googlegroups.com

i test these problems again.

important issues following:

1. upload some files to two folders but just detected one.

2. upload different files to different folders at same time but just detected one.

I used procexp.exe and procmon.exe to monitor files access.

testing environment

OS: windows 2003 R2

OSSEC version: 2.8 bate1

server configure for syscheck(already add new file alert in local_rules.xml)

===========ossec.conf======================

<alert_new_files>yes</alert_new_files>

<auto_ignore>no</auto_ignore>

<ignore>/etc/mnttab</ignore>

<ignore>/etc/hosts.deny</ignore>

<ignore>/etc/mail/statistics</ignore>

<ignore>/etc/random-seed</ignore>

<ignore>/etc/adjtime</ignore>

<ignore>/etc/httpd/logs</ignore>

<ignore>/etc/utmpx</ignore>

<ignore>/etc/wtmpx</ignore>

<ignore>/etc/cups/certs</ignore>

<ignore>/etc/dumpdates</ignore>

<ignore>/etc/svc/volatile</ignore>

</syscheck>

==================================

agent configure for syscheck:

============agent.conf======================

<directories check_all="yes" report_changes="yes">c:\autoexec.bat</directories>

<directories check_all="yes">c:\config.sys</directories>

<directories check_all="yes" realtime="yes">%WINDIR%</directories>

<ignore>%WINDIR%/System32/LogFiles</ignore>

<ignore>%WINDIR%/system32/wbem/Logs</ignore>

<ignore>%WINDIR%/Prefetch</ignore>

<ignore>%WINDIR%/Debug</ignore>

<ignore>%WINDIR%/PCHEALTH/HELPCTR/DataColl</ignore>

<ignore>%WINDIR%/SoftwareDistribution</ignore>

<ignore>%WINDIR%/Temp</ignore>

<ignore>%WINDIR%/SchedLgU.Txt</ignore>

<ignore>%WINDIR%/system32/config</ignore>

<ignore>%WINDIR%/system32/CatRoot</ignore>

<ignore>%WINDIR%/system32/wbem/Repository</ignore>

<ignore>%WINDIR%/LastGood.Tmp</ignore>

<ignore>%WINDIR%/LastGood</ignore>

<ignore>%WINDIR%/Help</ignore>

<ignore>%WINDIR%/Fonts</ignore>

<ignore>%WINDIR%/PCHEALTH</ignore>

<ignore>%WINDIR%/system32/dllcache</ignore>

==============================

enable debug for ossec server and agent clients.

open process explorer and process monitor on windows. define filter for monitoring ossec-agent.exe and new file(let me know who access new files)

test step 1: upload a new file(RootkitRevealer.exe) to c:\windows

ossec agent status: sleep that means it didn't start syscan yet. but i noticed it still try access "c:\Program files(x86)\ossec-agent\syscheck\.syscheck_run" but this file is not existing.

monitor: First it didn't real time found file upload when i upload this new file. after waited 10 minutes. it can find a new file.

ossec logs: it's ok

result: success

deleted new file

ossec agent status: sleeping

process monitor: can see ossec-agent.ext was accessed this file like this

ossec logs: all the of is normal

result: succeed

upload same files to two folders that one is c:\windows\system\ another c:\windows\system32\

ossec agent status: sleeping. I try restart syscheck by agent_control but it's not work.

monitor: It just found one file in c:\windows\system\ but can't find another in system32. because is it same file? is it a bug?

ossec logs: of course, just one alert by system directory.

result: failed

deleted these three files in different directories. first it's c:\windows\system32(not detected) and then c:\system and c:\windows

ossec agent status: sleeping

monitor: real time find them except for c:\windows\system32(not detected).

result: good?

upload different files to different folders at same time. (one file is used by above test another are new)

monitor: old file can find by real time. two new files can findwhen syscan start

result: succeed

thanks

Michael Starks於 2014年5月6日星期二UTC-7上午7時12分56秒寫道：

BP9906

unread,

May 30, 2014, 5:46:02 PM5/30/14

to ossec...@googlegroups.com

Dumb question here, but are you letting syscheck run after the agent has been restarted after the agent.conf has been downloaded?

You can force syscheck to run from the ossec server using ./bin/syscheck_control -r -u ### where ### = agent ID

Then watch ossec.log on the agent show Syscheckd start .. do stuff... finish .. realtime syscheck started.

Ash Windy

unread,

Jun 3, 2014, 7:29:34 PM6/3/14

to ossec...@googlegroups.com

Of course. I restart agent beforce new agent.conf has been downloaded in windows client.

I think you don't really clearly know the question. The windows agent can Syscheck but it can't monitor all the of new files created when I upload a file to two or more different folders. that is my question.