1.-Accepting remote commands
First step is to configure the agent logcollector option to accept remote commands from the manager. That can be done editing "internal_options.conf" file (usually located at "C:\Program Files(x86)\ossec-agent\internal_options.conf") and setting the variable logcollector.remote_commands to 1.# Logcollector - If it should accept remote commands from the manager
logcollector.remote_commands=1 2.- Specifying the command to list running processes
This is a configuration that can be done both at the agent or at the manager (using the shared directory). It only depends on how many agents you want this command to be used. In my case I decided to edit "/var/ossec/etc/shared/agent.conf" configuration file, and have these settings pushed to my windows agents.<agent_config os="windows">
<localfile>
<log_format>full_command</log_format>
<command>tasklist</command>
<frequency>60</frequency>
</localfile>
</agent_config> On the other hand, notice that under log_format I choiced "full_command". This is because I want my OSSEC rules to be able to parse the whole command output, instead of parsing the output one line at a time.
At last, the frequency defines how often, in seconds, will this command be run. Feel free to adjust this setting to whatever makes more sense in your environment, keeping in mind the added load that can be generated in the system by running commands too often.
3.- Creating local rules
In this step we edit our "/var/ossec/rules/local_rules.xml" file to add rules that will trigger an alert if our critical process is not running. For the purpose of this example I will use "wordpad.exe" but, of course, it could be any other name.<rule id="100050" level="7">
<if_sid>530</if_sid>
<match>^ossec: output: 'tasklist'</match>
<description>Critical process not found.</description>
<group>process_monitor,</group>
</rule>
<rule id="100051" level="0">
<if_sid>100050</if_sid>
<match>wordpad.exe</match>
<description>Processes running as expected</description>
<group>process_monitor,</group>
</rule>Now we just need to save these changes and restart the manager for them to be applied. We can do that running "ossec-control restart" command.
4.- Testing our configuration
In order to test the configuration it is good to enable OSSEC "logall" option, so we can see the output of tasklist in archives.log everytime it is executed. See below an example (I cut some lines for brevity).2015 Aug 07 18:38:03 (vpc-agent-windows) 10.0.0.124->tasklist ossec: output: 'tasklist':
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 4 K
System 4 Services 0 284 K
smss.exe 328 Services 0 1,060 K
csrss.exe 484 Services 0 3,584 K
...
...
...
notepad.exe 1596 RDP-Tcp#37 2 14,500 K
win32ui.exe 828 RDP-Tcp#37 2 6,088 K
ossec-agent.exe 3060 Services 0 5,576 K
notepad.exe 2276 RDP-Tcp#37 2 12,076 K
wordpad.exe 368 RDP-Tcp#37 2 27,780 K
cmd.exe 780 Services 0 2,692 K
conhost.exe 1304 Services 0 3,044 K
tasklist.exe 1692 Services 0 5,668 K
** Alert 1438997816.32112781: mail - local,syslog,process_monitor,
2015 Aug 07 18:36:56 (vpc-agent-windows) 10.0.0.124->tasklist
Rule: 100050 (level 7) -> 'Critical process not found.'
ossec: output: 'tasklist':
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 4 K
System 4 Services 0 284 K
smss.exe 328 Services 0 1,060 K
csrss.exe 484 Services 0 3,584 K
...
...
And that is all. I hope you enjoyed the tutorial and found it useful.
hi, thanks a lot for very nice article.
ReplyDeleteBut can you plz tell that how we can check immediately the output i.e. the list of running process
with "logall" option enabled you should be able to see it in archives.log
Deletehello, all is working fine but my mail is flooding with the list of running process ossec send me every 1-3 minutes a mail with tasklist
ReplyDeleteOSSEC HIDS Notification.
2015 Dec 01 23:07:48
Received From: (Win7eng) xxx.xxx.xxx.xxx->tasklist
Rule: 100050 fired (level 7) -> "Critical process not found."
Portion of the log(s):
ossec: output: 'tasklist':
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 24 K
System 4 Services 0 1,232 K
smss.exe 264 Services 0 872 K
csrss.exe 352 Services 0 3,740 K
wininit.exe 412 Services 0 3,252 K
services.exe 508 Services 0 7,180 K
lsass.exe 516 Services 0 8,084 K
lsm.exe 524 Services 0 3,328 K
svchost.exe 624 Services 0 7,544 K
vmacthlp.exe 688 Services 0 3,288 K
svchost.exe 732 Services 0 6,200 K
svchost.exe 824 Services 0 14,436 K
svchost.exe 856 Services 0 8,216 K
svchost.exe 880 Services 0 28,680
--END OF NOTIFICATION
Check email_alert_level option in your ossec.conf file. I would actually suggest to disable email alerts completely and enable them on the rules you want/need.
ReplyDeleteI need some custom local rules and some active response scripts. If it is possibile to configure seperate log files for differnt client server?
ReplyDeleteNeed some rules which will automatically block IP if some malicious activity is happen in the server.
Not sure I understood the question. If you mean to run different active responses on different servers, you can use "agent_id" option as specified in the documentation.
DeleteThanks for the reply. I want to know how to configure ossec rules. There are 60 or more rules in the location /var/ossec/rules. How we can configure active response for the rule we want. Please help me.
DeleteI think this might be what you are looking for. Check further down in the document, they have some scripts that do just that.
Deletehttps://www.sans.org/reading-room/whitepapers/detection/practical-ossec-33699
Can we add some customized rule in the location /var/ossec/rules as test_rules.xml and mentioned test_rules.xml in the config file and it didn't work. Can you please check the possibilities of the above. If it is possible to add a file like that.
ReplyDeleteYes, that is possible and should work. Did you also create new decoders? If you have further questions please join our mailing lists at wazuh@googlegroups.com or ossec-list@googlegroups.com
Delete1)Is it possible to configure separate log files to each client server.
ReplyDelete2) How can we configure different ossec rules for clients.
3)Could please provide us with the configuration of client server in ossec.conf
Answering the questions above.
Delete1) No, although you might be able to script it.
2) Best way of doing this is using the shared/agent.conf file
3) Sorry, it was posted a long time ago and I don't have it. In any case, all relevant configuration settings are described in the post. Everything else was out-of-the-box
Thanks Santiago for your valuable answers. I still have some doubts regarding ossec. While trying to configuring syscheck i mentioned as follows.
ReplyDelete----------------------------------
/var/www/vhosts/*/httpdocs
------------------------------------
After restarting ossec i got the following error.
----------------------------
2016/02/08 20:30:49 ossec-config(1121): ERROR: Glob error. Invalid pattern: '/var/www/vhosts/*/httpdocs'.
Started ossec-syscheckd...
Started ossec-monitord...
Completed.
--------------------------------------
and one more doubt after configuring agent in client server. How can we check the what are the things we configured. I mean ENTER for the integrity check daemon,ENTER for rootkit detection. So what we typed yes or no for the options. How can we review the agent configuration??
As mentioned in the error message, the glob format is not supported for Syscheck. You can actually use some regular expression functionality to achieve similar results. See examples here:
Deletehttp://ossec-docs.readthedocs.org/en/latest/manual/syscheck/#configuration-examples
This is great! Thanks Santiago!
ReplyDeleteThanks Santiago!! I need to configure ossec config for getting email alerts for multiple levels.
ReplyDelete---------------------
other_admin@example.com
12
-------------------
I need email alerts for the levels 10,11,12,13,14,15
Is it possible i am waiting for your response.
Do you have any tips for integrating Ossec with Suricata or Snort,
ReplyDeleteso i changed the rules to check if the service Windows Event Log is up but it seems i have a syntax mistake.
ReplyDelete530
^ossec: output: 'net start'
Proceso no econtrado.
process_monitor,
100050
Windows Event Log
Proceso corriendo
process_monitor,
my question would be: when you config this line @^ossec: output: 'tasklist'@ is tasklist becuase of the command you used or becuase it appears at the end of the output??
i used the command net stat to check if the service is up.
it could also be my mistake but i dont recognize it
here are the rules https://drive.google.com/file/d/0ByNzgcE45eEjRDZBckxneWloVTQ/view?usp=sharing
Deletecant paste them here.
Thanks for your tutorial.
ReplyDeleteI have implemented this config to our OSSEC, but when I launch a program, let say "Windows Power Shell", why this program not showing on the task-list output ?
Hi, is it possible to display the output results to the Discover page instead of the archives.log?
ReplyDeleteI have a question about what information the wordpad.exe file contains, where I can find it or how I can create it. After I have the wordpad.exe file, this file will be stored on Ossec Aggent (Window) or Ossec Server, and where on the two objects. please help me
ReplyDeleteThis is a wonderful blog posting, it provides the great google updating information and business map. i get great help for it.
ReplyDeleteGermany VPS Server Hosting
if i want to monitor two process then what be the configuration?
ReplyDeletekütahya
ReplyDeletemardin
maraş
hatay
düzce
4R81C3
bitlis
ReplyDeleteurfa
mardin
tokat
çorum
QJD5UY
ankara parça eşya taşıma
ReplyDeletetakipçi satın al
antalya rent a car
antalya rent a car
ankara parça eşya taşıma
RF32Z
Kırşehir Lojistik
ReplyDeleteHakkari Lojistik
Kars Lojistik
Konya Lojistik
Kilis Lojistik
32OV
adana evden eve nakliyat
ReplyDeletebolu evden eve nakliyat
diyarbakır evden eve nakliyat
sinop evden eve nakliyat
kilis evden eve nakliyat
TKRN
234D0
ReplyDeleteÇerkezköy Boya Ustası
Balıkesir Şehirler Arası Nakliyat
Muş Evden Eve Nakliyat
Burdur Parça Eşya Taşıma
Ankara Asansör Tamiri
Çankaya Parke Ustası
Bolu Parça Eşya Taşıma
Ünye Marangoz
Çerkezköy Buzdolabı Tamircisi
48A94
ReplyDeleteOrdu Evden Eve Nakliyat
Çorum Şehir İçi Nakliyat
Tekirdağ Cam Balkon
Ankara Şehir İçi Nakliyat
Erzurum Şehirler Arası Nakliyat
Ağrı Lojistik
Eryaman Boya Ustası
Çerkezköy Motor Ustası
Silivri Duşa Kabin Tamiri
73E9E
ReplyDeletebinance %20 indirim
D7368
ReplyDeleteBitranium Coin Hangi Borsada
Binance Hesap Açma
Floki Coin Hangi Borsada
Snapchat Takipçi Satın Al
Soundcloud Takipçi Satın Al
Aptos Coin Hangi Borsada
Chat Gpt Coin Hangi Borsada
Bitcoin Yatırımı Nasıl Yapılır
Youtube Beğeni Satın Al
191C8
ReplyDeleteweb bitbox
wallet trust
wallet arculus
ledger wallet
onekey
trezor suite
web arculus wallet
web avax wallet
eigenlayer wallet web
1495B
ReplyDeleteBitcoin Kazanma
Sohbet
Bitcoin Çıkarma
Bitcoin Yatırımı Nasıl Yapılır
Bitcoin Kazanma
Twitter Takipçi Satın Al
Kripto Para Kazma
Binance Referans Kodu
Kripto Para Kazanma
C4D28
ReplyDeleteshapeshift
quickswap
zkswap
dappradar
pancakeswap
uwulend finance
sushiswap
DefiLlama
satoshivm
820FDB487D
ReplyDeletemitosis
rocketpool stake
dymension
dymension stake
moonbeam
bitget
puffer
dogwifhat
medi finance
0DBBA16AFA
ReplyDeletewhatsapp cam show