-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chuck,
Did you give OSSEC time to rescan? I think within in the <syscheck>
block, the <frequency> block is time between scans in seconds; I think default
is once every 4 hours. You may want to restart OSSEC when testing integrity
checking to be sure the files/registry is rescanned.
-David
Chuck Braden wrote:
| Yep, I tried the same thumb drive out and in a couple of times and no such
message. Interesting.
|
|>>> David Williams <[EMAIL PROTECTED]> 3/24/2008 1:56 PM >>>
|
| Well, I can't really speak for Windows users, but I'm pretty sure the Enum
registry keys below should change whenever there is a change to the storage
systems available (such as a USB key being loaded or unloaded). And I wouldn't
be too surprised that A/V software also kept track of storage systems available
and whether they have been scanned or not. I don't think I would worry about
these -- but I might swap USB keys a couple times and wait to see if OSSEC
warns about the same keys (as I would expect it to).
| I hope that helps,
| -David
|
| Chuck Braden wrote:
| | I received a notification this morning on MY desktop regarding a hash
change. They seem to be for symantec AV registry keys. Nothing changed (that I
know of) on my system.. other than a USB thumb drive was ejected. Any idea
where I can get some more details on what this was flagging?
| |
| |>>> OSSEC HIDS <> 3/24/2008 10:04 AM >>>
| | OSSEC HIDS Notification.
| | 2008 Mar 24 10:04:11
| |
| | Received From: (jcbgateway) someIPhere->syscheck-registry
| | Rule: 550 fired (level 7) -> "Integrity checksum changed."
| | Portion of the log(s):
| |
| | Integrity checksum changed for:
'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum'
| | Old md5sum was: 'fbec8592b945ad389ff95b69990f7e0e'
| | New md5sum is : 'df381861064740470a5ac7518b3a166e'
| | Old sha1sum was: 'f5fca98d8bded7f4dd89597ebb9a8f46d898e255'
| | New sha1sum is : '07421beef1a6cd6e394618aa6055a909267a1f2a'
| |
| |
| |
| | --END OF NOTIFICATION
| |
| |
| |
| | OSSEC HIDS Notification.
| | 2008 Mar 24 10:04:11
| |
| | Received From: (jcbgateway) someIPhere->syscheck-registry
| | Rule: 551 fired (level 7) -> "Integrity checksum changed again (2nd time)."
| | Portion of the log(s):
| |
| | Integrity checksum changed for:
'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVENG'
| | Old md5sum was: 'd750d2bf68da6170b2f21c2153052e9f'
| | New md5sum is : 'd6c3d6e26ff4a0409e117ea8f3adb296'
| | Old sha1sum was: '8d4691b2ddbc4d8b879e82990bb75301298af03e'
| | New sha1sum is : '7b2cbea271fb1dc42b52fd6ef9993be228b3483f'
| |
| |
| |
| | --END OF NOTIFICATION
| |
| |
| |
| | OSSEC HIDS Notification.
| | 2008 Mar 24 10:04:11
| |
| | Received From: (jcbgateway) someIPhere->syscheck-registry
| | Rule: 551 fired (level 7) -> "Integrity checksum changed again (2nd time)."
| | Portion of the log(s):
| |
| | Integrity checksum changed for:
'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVEX15'
| | Old md5sum was: '7dd0cc4ffc1996a6463f79bbe45e5a7b'
| | New md5sum is : '13779b3be17235b73b946deaeeeae24d'
| | Old sha1sum was: 'f7b56139d83cff43c147251dfcfd0b19a49c03fd'
| | New sha1sum is : '6e0ed78078a0621c406165ecc2cba462495f82e8'
| |
| |
| |
| | --END OF NOTIFICATION
| |
| |
| |
| | OSSEC HIDS Notification.
| | 2008 Mar 24 10:04:11
| |
| | Received From: (jcbgateway) someIPhere->syscheck-registry
| | Rule: 550 fired (level 7) -> "Integrity checksum changed."
| | Portion of the log(s):
| |
| | Integrity checksum changed for:
'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PartMgr\Enum'
| | Old md5sum was: '2465bc08ee24c96a71f5ba9c6940b99a'
| | New md5sum is : 'aac6f631fdde5d7d94831507b399c140'
| | Old sha1sum was: '797289bb9e7ad6b6fe206300a71b9277f02c2e38'
| | New sha1sum is : '109d58fd28f6b131d7a3924051310fdfcfbd5006'
| |
| |
| |
| | --END OF NOTIFICATION
| |
| |
| |
| | OSSEC HIDS Notification.
| | 2008 Mar 24 10:04:11
| |
| | Received From: (jcbgateway) someIPhere->syscheck-registry
| | Rule: 551 fired (level 7) -> "Integrity checksum changed again (2nd time)."
| | Portion of the log(s):
| |
| | Integrity checksum changed for:
'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPBBCDrv\Parameters'
| | Old md5sum was: '153b492dc360e76f3c7b4cb8773e56b0'
| | New md5sum is : 'fa7cdffcd9d50a2ea7156a1e25f28ffd'
| | Old sha1sum was: 'ebf0d781d3c87d863737b8dc9bca708189d8a19d'
| | New sha1sum is : 'fb6b066a729403377d01055225dcdfbace5c5901'
| |
| |
| |
| | --END OF NOTIFICATION
| |
| |
| |
| | OSSEC HIDS Notification.
| | 2008 Mar 24 10:04:11
| |
| | Received From: (jcbgateway) someIPhere->syscheck-registry
| | Rule: 550 fired (level 7) -> "Integrity checksum changed."
| | Portion of the log(s):
| |
| | Integrity checksum changed for:
'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\usbstor\Enum'
| | Old md5sum was: 'a4219276c45e697b60ae0e601d9eb217'
| | New md5sum is : '1da3f721a64ce699d121dc59cda77cd3'
| | Old sha1sum was: '0b838f5e2e1d6dc8ea5170183b3aae22c569a898'
| | New sha1sum is : '3197b53d97c594aec135dbe32a050ca20372d16c'
| |
| |
| |
| | --END OF NOTIFICATION
| | tia matthias
| |
|
- --
_______________________________________________
GPG (http://www.gnupg.org/) key available from:
http://www.kayakero.net/per/david/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFH6DRYCzuSgviBh00RAhEjAJ49eyHTlXEpNQ1cPqhOm7iGRd7mQQCdHvHX
JFn6zXmDv2MLqK+44vOHtTY=
=qil+
-----END PGP SIGNATURE-----
