Category Archives: windows

Compiling the Windows Agent from a Linux system

It has always been a pain to generate snapshots for Windows because it required me to open up my Windows VM (slow), push the code there, compile, etc. Well, until this week when I started to play with MinGW cross-compilation … Continue reading

Posted in c, ossec, windows | Leave a comment

OSSEC being detected as a malware

Some anti-virus products (BitDefender, F-Secure, etc) are detecting the version 1.6.1 of the OSSEC Windows Agent as a malware (more specifically Generic.Qhost). We tried contacting some of them without much success. If you get any warning like that, it is … Continue reading

Posted in ossec, windows | 1 Comment

Active response on Windows

Another big feature that we never got around to implement until now. For version 1.6, OSSEC will come with the route-null.cmd script to block an IP address on Windows by modifying the route to it. To get started, you will … Continue reading

Posted in ossec, v16, windows | Leave a comment

Windows policy monitoring

OSSEC v1.3 will come with support for Windows policy monitoring, allowing you to verify that all your systems conform to a set of policies regarding configuration settings, applications usage, etc. They are configured centrally on the ossec server and pushed … Continue reading

Posted in ossec, windows | Leave a comment

Control UI for the Windows agent

The next version of ossec for Windows will come with a very simple “control ui” to manage and configure some basic options in the windows agent (like server ip, auth keys, etc). The code is pretty much stable, but I … Continue reading

Posted in ossec, windows | 2 Comments

How to compile ossec on Windows?

It is not the first time I was asked that, so I decided to write it in here in case anyone else is interested. First of all, ossec is compiled using MinGW, so we have only used it with gcc. … Continue reading

Posted in ossec, windows | Leave a comment

Multiple 577 entries in the eventlog (from Windows)

I was monitoring the Windows logs from a client network and I noticed that a few boxes were constantly generating audit failure 577 events: WinEvtLog: Security: AUDIT_FAILURE(577): Security: xxx: XX-HQ: YY-HQ: Privileged Service Called: Server: Security Primary User Name: abc … Continue reading

Posted in log analysis, ossec, windows | Leave a comment

Windows registry monitoring (syscheckd)

I just completed adding support for monitoring the Windows registry on ossec. It seems to be fairly stable right now and hopefully a beta version will be available soon (lots of tests will be required). The configuration will have the … Continue reading

Posted in ossec, windows | 1 Comment