Ignoring windows files but still being alerted

[Sewell, Tricia]

 

Trying to ignore some files in the Windows Registry section of the agent.conf, using OSSEC on a 64 bit Windows server, however seems to not be pulling them in and the alerts are still coming out.

This is a sample of the config…..

<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cissesrv\Logs\Controller001</registry_ignore>

 

Tried putting in <registry_ignore arch="64bit">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cissesrv\Logs\Controller001</registry_ignore>

but still didn’t work.

Any ideas please?

 

Kind Regards

Tricia Sewell

 

External Service Design

 

 

 

[rafael...@wazuh.com]

Hi Tricia,

I assume you have this line on your ossec.conf:

<windows_registry arch="both">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cissesrv\Logs</windows_registry>

It will scan changes for 32bit an 64bit. There is a bug in the code that will be fixed in the Wazuh 3.3 release.

So for now you can write this in your ossec.conf:

<windows_registry arch="64bit">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cissesrv\Logs</windows_registry>

And later:

<registry_ignore arch="64bit">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cissesrv\Logs\Controller001</registry_ignore>

That should work for you.

Best regards.

[Sewell, Tricia]

Hi Rafael,

 

We aren’t using Wazuh – just OSSEC manager / agents at this point in time.

I tried putting in the 64 bit In the agent.conf, Tried putting in <registry_ignore arch="64bit">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cissesrv\Logs\Controller001</registry_ignore>

You mentioned ossec.conf below….. our manager server is a Linux server, we don’t have any ignore statements in there for Windows.

 

1. So for now you can write this in your ossec.conf:

<windows_registry arch="64bit">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cissesrv\Logs</windows_registry>

 

2. And later:

<registry_ignore arch="64bit">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cissesrv\Logs\Controller001</registry_ignore>

So are you saying  I should change the 64 bit entry to not do the exact path as in no. 2) but one directory higher as specified in no. 1) …..?

 

Kind Regards

Tricia Sewell

 

External Service Design

 

Assigned by

Service Management UK & Nordic

E.ON IT UK

Newstead Court

 

www.eon.com/ebs

 

Managing Director: Ignacio Santiago Blanco.  E.ON IT UK Limited. Registered Office: Westwood Way, Westwood Business Park, Coventry, CV4 8LG. Registered in England & Wales Registered No. 5617434

 

Consider the environment. Please don't print this e-Mail unless you really need to.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/66a218b6-6aac-45ed-8097-5f6b11d753d0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[rafael...@wazuh.com]

Hi Tricia,

could you please provide your ossec.conf from your Windows Agent?. I need to check your file to see the exact configuration that you have and provide the right solution.

Best regards.

On Friday, April 13, 2018 at 10:09:56 AM UTC+2, Sewell, Tricia wrote:

[rafael...@wazuh.com]

Your agent.conf sorry.