1. Daniel Cid
  2. ossec-hids
Issue #1 open

Windows Command Output not in Alert

mstarks01
created an issue

Alert information for command output in Windows sometimes does not make it into the actual mail notification, but is in the alerts.log. Here's an example of one that doesn't work:

<localfile> <log_format>full_command</log_format> <command>%WINDIR%\system32\reg.exe query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /s | %WINDIR%\system32\findstr.exe /BV "! REG.EXE"</command> <alias>Windows Registry Run Key</alias> </localfile>

<rule id="100028" level="7"> <if_sid>530</if_sid> <match>ossec: output: 'Windows Registry Run Key'</match> <check_diff /> <description>Windows Registry Run Key Changed</description> </rule>

Comments (7)

  1. mstarks01 reporter

    This is one that I think exhibited the problem before. If it doesn't help, I can try to reproduce it again:

    Alert 1286203256.96529: mail - local 2010 Oct 04 09:40:56 (hostname) 0.0.0.0->Windows Registry Run Key Rule: 100028 (level 7) -> 'Windows Registry Run Key Changed' Src IP: (none) User: (none) ossec: output: 'Windows Registry Run Key':

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avgnt REG_SZ "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min Cobian Backup 9 interface REG_SZ "C:\Program Files\Cobian Backup 9\cbInterface.exe" -service AppleSyncNotifier REG_SZ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe SunJavaUpdateSched REG_SZ "C:\Program Files\Java\jre6\bin\jusched.exe" QuickTime Task REG_SZ "C:\Program Files\QuickTime\qttask.exe" -atboottime iTunesHelper REG_SZ "C:\Program Files\iTunes\iTunesHelper.exe" Rxufo REG_SZ rundll32.exe "C:\WINDOWS\ajuvozuj.dll",Startup Previous output: ossec: output: 'Windows Registry Run Key':

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avgnt REG_SZ "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min Cobian Backup 9 interface REG_SZ "C:\Program Files\Cobian Backup 9\cbInterface.exe" -service AppleSyncNotifier REG_SZ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe SunJavaUpdateSched REG_SZ "C:\Program Files\Java\jre6\bin\jusched.exe" QuickTime Task REG_SZ "C:\Program Files\QuickTime\QTTask.exe" -atboottime iTunesHelper REG_SZ "C:\Program Files\iTunes\iTunesHelper.exe"

  2. Daniel Cid repo owner

    Ah, bitbucket messed up with the formatting. I know we set the limit for 10 lines in the email alerts... Was it bigger than that? Can you put on pastebin?

  3. mstarks01 reporter

    Just an interesting data point.. this line actually indicated an infection that the AV did not catch (which proved the usefulness of the alert and getting the info in the email):

    Rxufo REG_SZ rundll32.exe "C:\WINDOWS\ajuvozuj.dll",Startup

  4. mstarks01 reporter

    More a note for myself than anything, I suppose. I narrowed down the issue. It happens when there is a blank line after ossec: output: 'foobar':. When the line is deleted and the alert is replayed to alerts.log, it works.

  5. Log in to comment