bookmark_borderControl UI for the Windows agent

The next version of ossec for Windows will come with a very simple “control ui” to manage and configure some basic options in the windows agent (like server ip, auth keys, etc). The code is pretty much stable, but I would like some beta testers and some suggestions.

If you are interested, the executable can be downloaded from here. The source code is committed to CVS too. Just download it, play with it, try restarting, stopping, changing the configs, etc. Any feedback will be welcome.

Some screenshots:

Windows UI screenshot 1
Windows UI screenshot 2
Windows UI screenshot 3

*I am far from being a ui designer (especially on Windows), so help is also welcome to make it look/work better.

bookmark_borderHow to compile ossec on Windows?

It is not the first time I was asked that, so I decided to write it in here in case anyone else is interested. First of all, ossec is compiled using MinGW, so we have only used it with gcc. We do not support any other compiler, but feel free to use them if you want.

With that being said, you now need the windows specific files. Go to your ossec source code (on Unix) and execute the “gen_win.sh” script. It will create all the necessary files for the Windows installation inside src/win-pkg.

$ pwd
/tmp/ossec-hids-1.1/src/win32/
$ ./gen_win.sh
..
$ cd ../win-pkg
$ zip ossec-win.zip win-pkg

After that, copy the “win-pkg” directory to your Windows system and execute the “make.bat” script on it.

C:>cd win-pkg
C:win-pkg>make
..

If your MinGW installation is not a C:MinGW, you will need to set the right paths on the make script. When you are done with your changes, you can generate the install.exe by compiling ossec-installer.nsi with NSIS.

bookmark_borderScreenshots of ossec wui v0.2

It looks like I did a big mistake by releasing the web ui and not providing any screenshots of it. So, here they are (better later than never).

Main page of the UI:

Search options:

Integrity checking options:

If you want to share your screenshots, just send them to us and we will publish them here too. PHP developers to help with the project are also welcome!

bookmark_borderOSSEC WUI version 0.2 is available

We are pleased to announce the release of the first non-BETA version of the OSSEC web interface (v0.2). This version contains the following features and bug fixes:

  • Added real time monitoring to the search page.
  • Added support for paginated search results.
  • Added “Log Format” as an option to allow searches based on the log format.
  • Added integrity checking page to allow monitoring of changed files/registry entries.

The full release message is available here.

Download it from here.

Install guide here.

As always, comments are welcome…

bookmark_borderWindows registry monitoring (syscheckd)

I just completed adding support for monitoring the Windows registry on ossec. It seems to be fairly stable right now and hopefully a beta version will be available soon (lots of tests will be required).

The configuration will have the following options available: (inside the syscheck area):

<windows_registry>HKEY_LOCAL_MACHINE</windows_registry> <registry_ignore>HKEY_LOCAL_MACHINESoftwareMicrosoft<registry_ignore>

Where the first option is a list (comma separated) of registry entries to monitor and the second is a list of entries to ignore.

A question now for the Windows users out there:Which registry entries should we monitor by default?

I was thinking on everything at HKEY_LOCAL_MACHINESYSTEM, HKEY_LOCAL_MACHINESECURITY and HKEY_LOCAL_MACHINESAM. Is there anything else worth checking too?
Comments are more than welcome..

bookmark_borderstdarg misuse (C tip #1)

I received some reports in the past about OSSEC segfaulting during startup on 64 bits systems. However, I was never able to reproduce this problem until last week.. I was happily enjoying my “vacation” and playing with ossec on an Ubuntu 64 when I finally got the ugly “2006/12/16 15:26:21 Segmentation fault” during startup. A smile came in my face… I would be able to debug it now 🙂 . After some troubleshooting I finally noticed that I was misusing the stdarg functions. I was never able to reproduce this issue before, because it only happens when there is a configuration problem and ossec tries to print the error message to the log file and to stderr (by default it only writes to the log file).

Basically, what was happening is that I was calling va_start, followed by multiple vfprintf calls. I don’t know exactly why it works on 32 bits systems and not on 64 bits (it should fail everywhere), but the easiest solution was to duplicate the va_list using va_copy. So, just for the record, never do:

va_start(args, msg);
vfprintf(stderr, msg, args);
vfprintf(fp, msg, args);
va_end(args);

If you need to print a formatted string multiple times, just do a vsnprintf, followed by fprintf’s or use va_copy to duplicate the va_list:

va_start(args, msg);
va_copy(args2, args);
vfprintf(stderr, msg, args);
vfprintf(fp, msg, args);
va_end(args);

It may sound like an obvious advice, but it may be useful to someone…