Dennis Borkhus-Veto wrote:
I have received the following error on a win 2003 svr with exchange
2003 how should I go about checking this.
rootcheck Rule: 510 fired (level 7) - Host-based anomaly detection
event (rootcheck). Portion of the log(s):
NTFS Alternate data stream found:
On 11/3/07, Dennis Borkhus-Veto [EMAIL PROTECTED] wrote:
I have received the following error on a win 2003 svr with exchange 2003 how
should I go about checking this.
rootcheck
Rule: 510 fired (level 7) - Host-based anomaly detection event (rootcheck).
Portion of the log(s):
NTFS
Hi Chris,
Thanks for the information. This is indeed a false positive and can
easily be ignored by adding the
following local rule:
rule id=100101 level=0
if_sid510/if_sid
match^NTFS Alternate data stream found/match
regexProgram Files/Exchsrvr/Mailroot//regex
descriptionIgnored
Hi Peter,
These are false positives for sure. I will make sure to fix it for the
next version.
Thanks for letting us know.
*if you can, please open a bug about it at: http://www.ossec.net/bugs/
--
Daniel B. Cid
dcid ( at ) ossec.net
On Nov 3, 2007 11:09 AM, Peter M. Abraham [EMAIL PROTECTED]
Hi Dennis,
This is very easy to do with a local rule. You just need to match
based on the policy you added and the agents
you are interested to monitor. Example:
rule id=100122 level=10
if_sid512/if_sid
matchMy custom process check/match
hostnameagent1|agent2|agent3/hostname
Hi Herb,
Every alert is sent to the database, including integrity checking
events. A quick SQL to get
all files that were changed is (for postgresql):
SELECT to_timestamp(timestamp), rule_id, location.name, full_log FROM
alert,location, data WHERE location.id = alert.location_id AND data.id
=
