X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=debian%2Fossec-hids%2Fvar%2Fossec%2Fetc%2Fshared%2Fwin_applications_rcl.txt;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Fetc%2Fshared%2Fwin_applications_rcl.txt;h=2bdb9851cdf3e0eb863bbf046fcbf4bc9941cce3;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=0000000000000000000000000000000000000000;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b;p=ossec-hids.git diff --git a/debian/ossec-hids/var/ossec/etc/shared/win_applications_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/win_applications_rcl.txt new file mode 100644 index 0000000..2bdb985 --- /dev/null +++ b/debian/ossec-hids/var/ossec/etc/shared/win_applications_rcl.txt @@ -0,0 +1,126 @@ +# OSSEC Linux Audit - (C) 2018 OSSEC Project +# +# Released under the same license as OSSEC. +# More details at the LICENSE file included with OSSEC or online +# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE +# +# [Application name] [any or all] [reference] +# type:; +# +# Type can be: +# - f (for file or directory) +# - r (registry entry) +# - p (process running) +# +# Additional values: +# For the registry and for directories, use "->" to look for a specific entry and another +# "->" to look for the value. +# Also, use " -> r:^\. -> ..." to search all files in a directory +# For files, use "->" to look for a specific value in the file. +# +# Values can be preceded by: =: (for equal) - default +# r: (for ossec regexes) +# >: (for strcmp greater) +# <: (for strcmp lower) +# Multiple patterns can be specified by using " && " between them. +# (All of them must match for it to return true). + +[Chat/IM/VoIP - Skype {PCI_DSS: 10.6.1}] [any] [] +f:\Program Files\Skype\Phone; +f:\Documents and Settings\All Users\Documents\My Skype Pictures; +f:\Documents and Settings\Skype; +f:\Documents and Settings\All Users\Start Menu\Programs\Skype; +r:HKLM\SOFTWARE\Skype; +r:HKEY_LOCAL_MACHINE\Software\Policies\Skype; +p:r:Skype.exe; + +[Chat/IM - Yahoo {PCI_DSS: 10.6.1}] [any] [] +f:\Documents and Settings\All Users\Start Menu\Programs\Yahoo! Messenger; +r:HKLM\SOFTWARE\Yahoo; + +[Chat/IM - ICQ {PCI_DSS: 10.6.1}] [any] [] +r:HKEY_CURRENT_USER\Software\Mirabilis\ICQ; + +[Chat/IM - AOL {PCI_DSS: 10.6.1}] [any] [http://www.aol.com] +r:HKEY_LOCAL_MACHINE\SOFTWARE\America Online\AOL Instant Messenger; +r:HKEY_CLASSES_ROOT\aim\shell\open\command; +r:HKEY_CLASSES_ROOT\AIM.Protocol; +r:HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-aim; +f:\Program Files\AIM95; +p:r:aim.exe; + +[Chat/IM - MSN {PCI_DSS: 10.6.1}] [any] [http://www.msn.com] +r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSNMessenger; +r:HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSNMessenger; +f:\Program Files\MSN Messenger; +f:\Program Files\Messenger; +p:r:msnmsgr.exe; + +[Chat/IM - ICQ {PCI_DSS: 10.6.1}] [any] [http://www.icq.com] +r:HKLM\SOFTWARE\Mirabilis\ICQ; + +[P2P - UTorrent {PCI_DSS: 10.6.1}] [any] [] +p:r:utorrent.exe; + +[P2P - LimeWire {PCI_DSS: 11.4}] [any] [] +r:HKEY_LOCAL_MACHINE\SOFTWARE\Limewire; +r:HKLM\software\microsoft\windows\currentversion\run -> limeshop; +f:\Program Files\limewire; +f:\Program Files\limeshop; + +[P2P/Adware - Kazaa {PCI_DSS: 11.4}] [any] [] +f:\Program Files\kazaa; +f:\Documents and Settings\All Users\Start Menu\Programs\kazaa; +f:\Documents and Settings\All Users\DESKTOP\Kazaa Media Desktop.lnk; +f:\Documents and Settings\All Users\DESKTOP\Kazaa Promotions.lnk; +f:%WINDIR%\System32\Cd_clint.dll; +r:HKEY_LOCAL_MACHINE\SOFTWARE\KAZAA; +r:HKEY_CURRENT_USER\SOFTWARE\KAZAA; +r:HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\KAZAA; + +# http://vil.nai.com/vil/content/v_135023.htm +[Adware - RxToolBar {PCI_DSS: 11.4}] [any] [http://vil.nai.com/vil/content/v_135023.htm] +r:HKEY_CURRENT_USER\Software\Infotechnics; +r:HKEY_CURRENT_USER\Software\Infotechnics\RX Toolbar; +r:HKEY_CURRENT_USER\Software\RX Toolbar; +r:HKEY_CLASSES_ROOT\BarInfoUrl.TBInfo; +r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RX Toolbar; +f:\Program Files\RXToolBar; + +# http://btfaq.com/serve/cache/18.html +[P2P - BitTorrent {PCI_DSS: 10.6.1}] [any] [http://btfaq.com/serve/cache/18.html] +f:\Program Files\BitTorrent; +r:HKEY_CLASSES_ROOT\.torrent; +r:HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-bittorrent; +r:HKEY_CLASSES_ROOT\bittorrent; +r:HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\BitTorrent; + +# http://www.gotomypc.com +[Remote Access - GoToMyPC {PCI_DSS: 10.6.1}] [any] [] +f:\Program Files\Citrix\GoToMyPC; +f:\Program Files\Citrix\GoToMyPC\g2svc.exe; +f:\Program Files\Citrix\GoToMyPC\g2comm.exe; +f:\Program Files\expertcity\GoToMyPC; +r:HKLM\software\microsoft\windows\currentversion\run -> gotomypc; +r:HKEY_LOCAL_MACHINE\software\citrix\gotomypc; +r:HKEY_LOCAL_MACHINE\system\currentcontrolset\services\gotomypc; +p:r:g2svc.exe; +p:r:g2pre.exe; + +[Spyware - Twain Tec Spyware {PCI_DSS: 11.4}] [any] [] +r:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TwaintecDll.TwaintecDllObj.1; +r:HKEY_LOCAL_MACHINE\SOFTWARE\twaintech; +f:%WINDIR%\twaintec.dll; + +# http://www.symantec.com/security_response/writeup.jsp?docid=2004-062611-4548-99&tabid=2 +[Spyware - SpyBuddy {PCI_DSS: 11.4}] [any] [] +f:\Program Files\ExploreAnywhere\SpyBuddy\sb32mon.exe; +f:\Program Files\ExploreAnywhere\SpyBuddy; +f:\Program Files\ExploreAnywhere; +f:%WINDIR%\System32\sysicept.dll; +r:HKEY_LOCAL_MACHINE\Software\ExploreAnywhere Software\SpyBuddy; + +[Spyware - InternetOptimizer {PCI_DSS: 11.4}] [any] [] +r:HKLM\SOFTWARE\Avenue Media; +r:HKEY_CLASSES_ROOT\\safesurfinghelper.iebho.1; +r:HKEY_CLASSES_ROOT\\safesurfinghelper.iebho;