I'd like to suggest you take a look at the list of program launch points catalogued by the Silent Runners team at http://www.silentrunners.org/sr_launchpoints.html. Detecting programs that hook themselves into windows startup routines could be very useful.
Thanks, Rick McClinton
-----Original Message----- From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED]
On
Behalf Of Daniel Cid Sent: Tuesday, January 02, 2007 9:31 PM To: OSSEC Users List; [EMAIL PROTECTED] Subject: [ossec-list] Registry monitoring on ossec (input request) Importance: Low Hello everyone, I just completed adding support for monitoring the Windows registry on ossec. It seems to be fairly stable right now and hopefully a beta
version
will be available soon (lots of tests will be required). The configuration will have the following options available: (inside the syscheck area): <windows_registry>HKEY_LOCAL_MACHINE,HKEY_LOCAL_MACHINE\Software, HKEY_USERS\Example</windows_registry>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft<registry_ignore>
Where the first option is a list (comma separated) of registry entries to monitor and the second is a list of entries to ignore. A question now for you guys (Windows users): -Which registry entries should we monitor by default? I was thinking on everything at HKEY_LOCAL_MACHINE\SYSTEM, HKEY_LOCAL_MACHINE\SECURITY and HKEY_LOCAL_MACHINE\SAM. Is there anything else worth checking too? Please let me know your comments... *btw, next version (1.0) is comming soon... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net
This message contains TMA Resources confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
