Oh, duh! I've been living in *nix for so long, I forgot about that. I've set my ossec.conf up to ignore C:\progra~1\exchsrvr\mailroot (I can't seem to access "vsi 1" using "vsi~1"). I'll see tomorrow morning if it took (The alerts only get generated in the early morning).
----- Jeremy Melanson On Nov 29, 2007 1:17 AM, Herb Steck <[EMAIL PROTECTED]> wrote: > > You defiantly want to exclude your mail queue directories. You can use the > DOS 8.3 directory naming convention so that you don't have to worry about > the space too. C:\progra~1\.. etc. This will overcome many other > application as well so it's a good thing to brush up on. > > This was discussed a few weeks ago as well. > > > -----Original Message----- > From: [email protected] [mailto:[EMAIL PROTECTED] On > Behalf Of Jeremy Melanson > Sent: Wednesday, November 28, 2007 2:53 PM > To: [email protected] > Subject: [ossec-list] Windows Agent and Microsoft Exchange > > > Hello all. > > I'm receiving rootcheck alerts from an OSSEC Windows Agent (version 1.3) > running on a Microsoft Exchange 2003 Server. The alerts occur on files > in the Exchange Server's 'Mailroot' directory. > Multiple alerts are generated, and happen around the same time every > morning. > I've been trying to figure out how to get the OSSEC Agent to ignore the > directory "C:\Program Files\Exchsrvr\Mailroot\vsi_1\Queue", but this has > not stopped the alerts from being generated. It may be possible the I > have the syntax incorrect in my ossec.conf, as I cannot locate any > documentation on how to add paths with spaces in them to ossec.conf. > I've tried several different syntaxes. The latest one is "<ignore>C: > \Program Files/Exchsrvr/Mailroot/vsi 1/Queue</ignore>". > > Any help would be greatly appreciated. > > The email alerts I receive look like the following: > > OSSEC HIDS Notification. > 2007 Nov 28 05:10:03 > > Received From: (pkmail1) 192.168.16.4->rootcheck > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > (rootcheck)." > Portion of the log(s): > > NTFS Alternate data stream found: 'C:\/Program > Files/Exchsrvr/Mailroot/vsi > 1/Queue/NTFS_55de5e3f01c830ec00010c7e.EML:PROPERTIES-LIVE'. Possible > hidden content. > > > > --END OF NOTIFICATION > > > ----- > Jeremy Melanson
