Syscheck windows registry value ignore

ITS spec

unread,

Oct 22, 2019, 9:35:19 AM10/22/19

to Wazuh mailing list

Hello.

Is it possible somehow to ignore windows registry value by wazuh?

In Windows 10 there is a value - LastLogOffEndTimePerfCounter in key - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.

I need to sysckeck this key, but value LastLogOffEndTimePerfCounter I need to ignore.

I tried add local rule:

<rule id="100013" level="0">
  <if_group>syscheck</if_group>
  <match>LastLogOffEndTimePerfCounter</match>
  <description>Ignore changes to winlogon</description>
</rule>

but it is not helped.

Victor Fernandez

unread,

Oct 23, 2019, 2:36:40 PM10/23/19

to ITS spec, Wazuh mailing list

Hi,

I'm afraid this is not currently possible. Syscheck produces a checksum for the entire key. The agent deliveries the key and its checksum to the manager, but not the values.

Maybe it's possible to implement this kind of filter in the agent-side, with an option like:

<windows_registry restrict="!LastLogOffEndTimePerfCounter">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>

Would you find that option helpful? We would love some feedback. On the other hand, feel free to open a feature request in GitHub: https://github.com/wazuh/wazuh/issues/new?template=default.md

Best regards,

Victor Manuel Fernandez-Castro
Core Engineering | vic...@wazuh.com

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/96040366-c602-4bcf-9e8d-440462f48c52%40googlegroups.com.

ITS spec

unread,

Oct 24, 2019, 3:44:32 AM10/24/19

to Wazuh mailing list

Hi, Victor.

I did not quite understand, where do I need to add this option?

I tried add it in  section in agent.conf, but I've got error in ossec.log:

ERROR: (1243): Invalid attribute 'restrict' in the configuration: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'.

Also, I can't find information about attribute 'restrict' in wazuh docs. Is it undocumented features?

среда, 23 октября 2019 г., 21:36:40 UTC+3 пользователь Victor Fernandez написал:

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

Victor Fernandez

unread,

Oct 25, 2019, 1:31:40 AM10/25/19

to ITS spec, Wazuh mailing list

Hi ITS,

I meant that this is not currently possible, there is no option to achieve this use case. Option restrict only applies to the element <directories>, not to <windows_regirstry>.

On the other hand, I think this is an interesting use case, and I wonder if you would find that option helpful.

I've opened a feature request for you: #4150

Best regards,

Victor Manuel Fernandez-Castro
Core Engineering | vic...@wazuh.com

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/96040366-c602-4bcf-9e8d-440462f48c52%40googlegroups.com.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7075d20c-de6d-406c-80c7-bcf9f1bf693a%40googlegroups.com.

Alex

unread,

Oct 25, 2019, 5:06:02 AM10/25/19

to Wazuh mailing list

Hi, Victor.

Yes, I find that option very helpful and it will be gratetful, if that option will be implemented.

I have some more values from different keys, that i need to ignore, and without this option it makes many problems for me.

Thank you, Victor.

пятница, 25 октября 2019 г., 8:31:40 UTC+3 пользователь Victor Fernandez написал:

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/96040366-c602-4bcf-9e8d-440462f48c52%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

Victor Fernandez

unread,

Oct 25, 2019, 6:45:32 AM10/25/19

to Alex, Wazuh mailing list

Hi Alex,

That's great, let me discuss about that with the team, hope to implement it very soon. We will keep you posted.

Best regards,

Victor Manuel Fernandez-Castro
Core Engineering | vic...@wazuh.com

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/96040366-c602-4bcf-9e8d-440462f48c52%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7075d20c-de6d-406c-80c7-bcf9f1bf693a%40googlegroups.com.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/29729775-0fae-404d-a2ef-076ed9cf12aa%40googlegroups.com.

Reply all

Reply to author

Forward