The windows event log
As an introduction to windows event logging I recommend reading the following article: Monitoring and Troubleshooting Using Event Logs. It’s the first interesting one I’ve found after googling for an introduction.
Quoting the article, which also talks about EventCombMT.exe which we’ll mention later:
This article reviews best practices for working with Windows event logs including how to interpret event messages, how to configure event logs, how to search and filter events, how to view events on remote systems, and how to use EventCombMT.exe and other tools to monitor events on multiple systems.
Resuming, windows hosts by default log events into three local log “facilities”:
The main problem with windows event logs is that there’s no easy way to forward them to a central unix logging location. There are two ways (that I’m aware of) of getting those logs to OSSIM:
- Using agents (ossec, ntsyslog, snare)
- Agentless (had heard/thought about it but just recently started researching on how to do this easily). More info below.
For this tutorial we’ll assume OSSIM being installed using the installer on 192.168.1.56.
First thing you should do is to download the snare installer, ossec installer and .reg files. Go to Tools->Downloads as seen here:
(Image removed, broken link, I’m very sorry. DK.)
Note: If you don’t have the ossec installer don’t worry, it will be included in future ossim releases.
Installer 1.0.4 will include ossec and I’ll extend this tutorial once it’s released since ossec offers many advantages over Snare. But for now we’ll continue to using snare for a bit.
- Click on your snare installer.
- Choose normal installation.
- Decide wether you want snare to take over your audit configuration or not. If you haven’t changed anything on your audit configuration this might be a good idea.
- Choose localhost configuration only, later on you’ll be able to change your pass.
- Warning: Due to an incompatibility in DOS/Unix file formats the current .reg files are broken. My apologies for the inconvenience. I just tried to convert them and use them but regedit complains about them not being in the right format. Guess I’ll have to “dos2unix” them, replace the IP, and “unix2dos”.
- Since the .reg won’t work without modification, open it using notepad, check for a line that says ‘“Destination”=“127.0.0.1”’ and change the IP to your ossim’s IP.
- Double click on the .reg file in order to import it.
- Launch a command shell and bounce snare: “net stop snare”, “net start snare”.
You should start receiving events from now on. More on how to check this on the next section.
Being at a recent commercial presentation by a commercial SIM, they repeated a couple of times how “agentless” they were, stating that they did collect windows events without needing to install anything.
Another interesting options seems to be the Microsoft Powershell. Its syntax is ugly as hell but it might do the job: Sample POSH event retrieval .
Once they’ve been read and normalized by the agent Windows events are treated like all other events. They get:
- Shown on the realtime event viewer
- Fed into Acid/Base
- Shown on the event viewer
The first thing you can do in order to verify everything’s up and running is checking the realtime event viewer. Please keep in mind that events might be arriving but not showing, look at the “skipped” column:
(Image removed, broken link, I’m very sorry. DK.)
The installer image comes with a plugin group for snare and a windows event tab pre-configured: (Image removed, broken link, I’m very sorry. DK.)
What to do next?
- Correlate out of hour logins to your network.
- Correlate pendrive inserts followed by large amounts of file copying: (Image removed, broken link, I’m very sorry. DK.)Dec 19 07:00:19 192.168.1.34 ^A MSWinEventLog;4;System;25;Wed Dec 19 16:23:13 2007;134;Removable Storage Service;Unknown User;N/A;Information;^A;N/A;;Received a device interface ARRIVAL notification for device: (USB Mass Storage Device);1 Dec 19 07:00:19 192.168.1.34 ^A MSWinEventLog;4;System;26;Wed Dec 19 16:23:13 2007;134;Removable Storage Service;Unknown User;N/A;Information;^A;N/A;;Received a device interface ARRIVAL notification for device: (PB EASY STORE USB Device);2
- Correlate service starts/stops.
- Correlate user adds/removals/etc…
Snare can be easily distributed on a wide range of host in a semi-automatic way. Check the documentation section at the Snare homepage.
- Check for running snare plugin: (Image removed, broken link, I’m very sorry. DK.)
- Tail -f /var/log/syslog (which is were events should arrive by default) and check for events like this:
Dec 19 03:20:06 192.168.1.34 ^A MSWinEventLog;1;Application;2;Wed Dec 19 12:43:05 2007;105;SNARE; Unknown User;N/A;Information;NIL-MESA;None;;The service was started. ;1 Dec 19 03:21:01 192.168.1.34 ^A MSWinEventLog;0;Security;3;Wed Dec 19 12:44:00 2007;592;Security; Pruebas Antivirus;User;Success Audit;NIL-MESA;Detailed Tracking;;A new process has been created: ^I New Process ID:^I1724 ^IImage File Name:^I\WINNT\system32\cmd.exe ^ICreator Process ID:^I2744 ^I User Name:^IPruebas Antivirus ^IDomain:^I^INIL-MESA ^ILogon ID:^I^I(0x0,0x108EA) ;0
- Check /etc/ossim/agent/plugins/snare.cfg and see if location is pointing at /var/log/syslog.
- Check [HKEY_LOCAL_MACHINE/SOFTWARE/InterSect Alliance/AuditService/Network/Destination] for your server’s ip.
- Check [HKEY_LOCAL_MACHINE/SOFTWARE/InterSect Alliance/AuditService/Config/Delimiter], it has to be set to ‘;’.
- Bounce snare (net stop snare, net start snare).
- Check logfiles (grep -i mswineventlog /var/log/ossim/*).
- Request help on forums/mailing lists.
Windows log integration isn’t perfect by default. The regular expression matching the above lines isn’t perfect for every language/event type, so some event’s might just end up in the “generic” category.
OSSEC provides a bunch of nice features but already with Snare you can do really nice things.
Attaching an md5sum to the received windows logs would again enable to be a bit more “compliant” with some regulations.