You defiantly want to exclude your mail queue directories. You can use the DOS 8.3 directory naming convention so that you don't have to worry about the space too. C:\progra~1\.. etc. This will overcome many other application as well so it's a good thing to brush up on.
This was discussed a few weeks ago as well. -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremy Melanson Sent: Wednesday, November 28, 2007 2:53 PM To: [email protected] Subject: [ossec-list] Windows Agent and Microsoft Exchange Hello all. I'm receiving rootcheck alerts from an OSSEC Windows Agent (version 1.3) running on a Microsoft Exchange 2003 Server. The alerts occur on files in the Exchange Server's 'Mailroot' directory. Multiple alerts are generated, and happen around the same time every morning. I've been trying to figure out how to get the OSSEC Agent to ignore the directory "C:\Program Files\Exchsrvr\Mailroot\vsi_1\Queue", but this has not stopped the alerts from being generated. It may be possible the I have the syntax incorrect in my ossec.conf, as I cannot locate any documentation on how to add paths with spaces in them to ossec.conf. I've tried several different syntaxes. The latest one is "<ignore>C: \Program Files/Exchsrvr/Mailroot/vsi 1/Queue</ignore>". Any help would be greatly appreciated. The email alerts I receive look like the following: OSSEC HIDS Notification. 2007 Nov 28 05:10:03 Received From: (pkmail1) 192.168.16.4->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): NTFS Alternate data stream found: 'C:\/Program Files/Exchsrvr/Mailroot/vsi 1/Queue/NTFS_55de5e3f01c830ec00010c7e.EML:PROPERTIES-LIVE'. Possible hidden content. --END OF NOTIFICATION ----- Jeremy Melanson
