Tag: Windows Devices

OSSEC v1.3 will come with support for Windows policy monitoring, allowing you to verify that all your systems conform to a set of policies regarding configuration settings, applications usage, etc. They are configured centrally on the ossec server and pushed down to all your agents.

With the Windows policy monitoring, you can get alerts like the following (detecting Skype and Yahoo):

2007 Jul 22 17:42:57 Rule Id: 514 level: 2
Location: (winhome) 192.168.2.190->rootcheck
Windows application monitor event.

Application Found: Chat/IM – Yahoo.

2007 Jul 22 17:42:57 Rule Id: 514 level: 2
Location: (winhome) 192.168.2.190->rootcheck
Windows application monitor event.

Application Found: Chat/IM/VoIP – Skype.

And compliance alerts like the following:

2007 Jul 23 13:44:54 Rule Id: 512 level: 3
Location: (winhome) 192.168.2.190->rootcheck
Windows Audit event.

Windows Audit: Null sessions allowed.

2007 Jul 23 13:44:54 Rule Id: 512 level: 3
Location: (winhome) 192.168.2.190->rootcheck
Windows Audit event.

Windows Audit: LM authentication allowed (weak passwords).

Interested? Read more how it works here. You can also try our beta version to help us improve it.

The next version of ossec for Windows will come with a very simple “control ui” to manage and configure some basic options in the windows agent (like server ip, auth keys, etc). The code is pretty much stable, but I would like some beta testers and some suggestions.

If you are interested, the executable can be downloaded from here. The source code is committed to CVS too. Just download it, play with it, try restarting, stopping, changing the configs, etc. Any feedback will be welcome.

Some screenshots:

*I am far from being a ui designer (especially on Windows), so help is also welcome to make it look/work better.

It is not the first time I was asked that, so I decided to write it in here in case anyone else is interested. First of all, ossec is compiled using MinGW, so we have only used it with gcc. We do not support any other compiler, but feel free to use them if you want.

With that being said, you now need the windows specific files. Go to your ossec source code (on Unix) and execute the “gen_win.sh” script. It will create all the necessary files for the Windows installation inside src/win-pkg.

$ pwd
/tmp/ossec-hids-1.1/src/win32/
$ ./gen_win.sh
..
$ cd ../win-pkg
$ zip ossec-win.zip win-pkg

After that, copy the “win-pkg” directory to your Windows system and execute the “make.bat” script on it.

C:>cd win-pkg
C:win-pkg>make
..

If your MinGW installation is not a C:MinGW, you will need to set the right paths on the make script. When you are done with your changes, you can generate the install.exe by compiling ossec-installer.nsi with NSIS.

I just completed adding support for monitoring the Windows registry on ossec. It seems to be fairly stable right now and hopefully a beta version will be available soon (lots of tests will be required).

The configuration will have the following options available: (inside the syscheck area):

<windows_registry>HKEY_LOCAL_MACHINE</windows_registry> <registry_ignore>HKEY_LOCAL_MACHINESoftwareMicrosoft<registry_ignore>

Where the first option is a list (comma separated) of registry entries to monitor and the second is a list of entries to ignore.

A question now for the Windows users out there:Which registry entries should we monitor by default?

I was thinking on everything at HKEY_LOCAL_MACHINESYSTEM, HKEY_LOCAL_MACHINESECURITY and HKEY_LOCAL_MACHINESAM. Is there anything else worth checking too?
Comments are more than welcome..