Hello all. I'm receiving rootcheck alerts from an OSSEC Windows Agent (version 1.3) running on a Microsoft Exchange 2003 Server. The alerts occur on files in the Exchange Server's 'Mailroot' directory. Multiple alerts are generated, and happen around the same time every morning. I've been trying to figure out how to get the OSSEC Agent to ignore the directory "C:\Program Files\Exchsrvr\Mailroot\vsi_1\Queue", but this has not stopped the alerts from being generated. It may be possible the I have the syntax incorrect in my ossec.conf, as I cannot locate any documentation on how to add paths with spaces in them to ossec.conf. I've tried several different syntaxes. The latest one is "<ignore>C: \Program Files/Exchsrvr/Mailroot/vsi 1/Queue</ignore>".
Any help would be greatly appreciated. The email alerts I receive look like the following: OSSEC HIDS Notification. 2007 Nov 28 05:10:03 Received From: (pkmail1) 192.168.16.4->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): NTFS Alternate data stream found: 'C:\/Program Files/Exchsrvr/Mailroot/vsi 1/Queue/NTFS_55de5e3f01c830ec00010c7e.EML:PROPERTIES-LIVE'. Possible hidden content. --END OF NOTIFICATION ----- Jeremy Melanson
