Hi Michael, I completely agree with you. My goal is to create application profiles and a list of really important files to monitor (specially on Windows). If anyone have a list of directories or files related to auto run, important configs and files that don't change very often, please share.
We need to move the integrity checking to be more target based for it to still be useful (specially on Windows systems). Btw, how is most people here using Windows integrity checking? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Mon, Apr 13, 2009 at 8:45 PM, Michael Starks <ossec-l...@michaelstarks.com> wrote: > > Daniel Cid wrote: >> Hi List, >> >> We are trying to make syscheck (integrity checking) more useful than >> what it is now and we >> are looking for contributions to create application profiles. >> >> What we are looking exactly is a list of files/directories per >> application to be added to ossec. > > I think this is a great idea, but I would also encourage us to look at > the current Windows syscheck policy. I think it's a bit too verbose to > be useful. Maybe we should consider alerting on only the really > important stuff, such as changes to the run key, and just storing the > other alerts. I know this has the potential to miss stuff, but when the > human element is factored in we have to consider the brain doing it's > own auto-ignore of too many events. >