Posts

Showing posts from March, 2017

Experience in folder monitoring with OSSEC

Image
Today i had some job relate to folder monitoring. In my solution, i have selected OSSEC with ELK. I have spent 5 hour to troubleshooting OSSEC. :)). This it first time i config it.
You can use syscheck to folder monitoring. Reference in: http://ossec-docs.readthedocs.io/en/latest/faq/syscheck.html and http://ossec-docs.readthedocs.io/en/latest/manual/syscheck/
To monitor file edit, delete you can use syscheck with realtime monitor.
But to monitor  file added, you need:
Add to local_rule.xml
Edit ossec.conf:

Main problem is: you must edit ossec.conf in server (in my case is wazuh), not windows client.  Second problem, after integrity change more than 3 times, ossec disable alert. You must add auto_ignore is no in syscheck (on server). This is my result: ----------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued -…