Hi Chad, I would suggest ignoring this directory on the ossec server. Just add an additional line to the syscheck ignore:
<ignore>C:\WINDOWS/system32/inetsrv/History</ignore> It should solve it. For the next version, I will make sure it comes ignored by default... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/2/07, Chad Robertson <[EMAIL PROTECTED]> wrote: > > > I didn't see a response for this. > > I'm having the same issue. Since upgrading to the latest version of OSSEC > many of my servers are generating this alert. > > See below. > > ---------- > > OSSEC HIDS Notification. > > 2007 Oct 02 05:11:12 > > > > Received From: (xxxxxx) x.x.x.x->syscheck > > Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum." > > Portion of the log(s): > > > > File 'C:\WINDOWS/system32/inetsrv/History/MBSchema_0000030206_0000000000.xml' > was deleted. Unable to retrieve checksum. > > > > > > > > --END OF NOTIFICATION > > > > > > > > OSSEC HIDS Notification. > > 2007 Oct 02 05:11:12 > > > > Received From: (xxxxxx) x.x.x.x->syscheck > > Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum." > > Portion of the log(s): > > > > File 'C:\WINDOWS/system32/inetsrv/History/MBSchema_0000030207_0000000000.xml' > was deleted. Unable to retrieve checksum. > > > > > > > > --END OF NOTIFICATION > > > > > > > > OSSEC HIDS Notification. > > 2007 Oct 02 05:11:12 > > > > Received From: (xxxxxx) x.x.x.x->syscheck > > Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum." > > Portion of the log(s): > > > > File 'C:\WINDOWS/system32/inetsrv/History/MBSchema_0000030208_0000000000.xml' > was deleted. Unable to retrieve checksum. > > > > > > > > --END OF NOTIFICATION Thanks, > > -chad > > > > ________________________________ > > From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of > Clayton Dillard > Sent: Wednesday, August 29, 2007 4:55 PM > To: ossec-list > Subject: [ossec-list] [Fwd: OSSEC Notification - (RPSSQL01) 10.10.1.253 - > Alert level 7] > > > > Recently installed OSSEC agent on a Windows Server 2003 R2 box with MS SQL > 2005 on it, as well as IIS. Getting this alert. Anyone got any insight as > to whether this is normal as IIS gens backups of the config and purges old > ones? > > Thanks in advance, > Clayton Dillard > > > -------- Forwarded Message -------- > From: OSSEC HIDS <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: OSSEC Notification - (RPSSQL01) 10.10.1.253 - Alert level 7 > Date: Wed, 29 Aug 2007 14:55:08 EDT > OSSEC HIDS Notification. > 2007 Aug 29 14:54:56 > > Received From: (RPSSQL01) x.x.x.x->syscheck > Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum." > > Portion of the log(s): > > File 'C:\WINDOWS/system32/inetsrv/History/MBSchema_0000000088_0000000000.xml' > was deleted. Unable to retrieve checksum. > > > > --END OF NOTIFICATION > > > > OSSEC HIDS Notification. > 2007 Aug 29 14:54:56 > > Received From: (RPSSQL01) x.x.x.x->syscheck > Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum." > > Portion of the log(s): > > File 'C:\WINDOWS/system32/inetsrv/History/MetaBase_0000000088_0000000000.xml' > was deleted. Unable to retrieve checksum. > > > > --END OF NOTIFICATION > > > > OSSEC HIDS Notification. > 2007 Aug 29 14:54:56 > > Received From: (RPSSQL01) x.x.x.x->syscheck > Rule: 550 fired (level 7) -> "Integrity checksum changed." > > Portion of the log(s): > > Integrity checksum changed for: 'C:\WINDOWS/system32/inetsrv/MetaBase.xml' > Old md5sum was: 'ef3df1597cbd473280064e6b3d1cfc81' > New md5sum is : 'fbe18ed853cfc84594097085c21a2c36' > > Old sha1sum was: '13613487f40d277c23438431269ae0e5fd761726' > New sha1sum is : '2169491d00a7f7b2c498767e9c351d8ed9abfe4b' > > > > --END OF NOTIFICATION > > > > > > > > > Clayton Dillard > Director of Information Technology > RPS Technology LLC > Tel: 919-319-4301 x205 > Cell: 919-414-0265 > Fax: 919-882-8261 > > The information in this e-mail, and any attachment therein, is > confidential > and for use by the addressee only. If you are not the intended recipient, > please return the e-mail to the sender and delete it from your computer. > Although RPS Technology attempts to sweep e-mail and attachments for > viruses, it does not guarantee that either are virus-free and accepts no > liability for any damage sustained as a result of viruses. > >
