Tried the same USB today. No integrity scan hash change. Stopped and started
task with media in and then ejected and stopped/started again. Still no email
of hash change.
>>> David Williams <[EMAIL PROTECTED]> 3/24/2008 6:08 PM >>>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chuck,
Did you give OSSEC time to rescan? I think within in the <syscheck>
block, the <frequency> block is time between scans in seconds; I think default
is once every 4 hours. You may want to restart OSSEC when testing integrity
checking to be sure the files/registry is rescanned.
-David
Chuck Braden wrote:
| Yep, I tried the same thumb drive out and in a couple of times and no such
message. Interesting.
|
|>>> David Williams <[EMAIL PROTECTED]> 3/24/2008 1:56 PM >>>
|
| Well, I can't really speak for Windows users, but I'm pretty sure the Enum
registry keys below should change whenever there is a change to the storage
systems available (such as a USB key being loaded or unloaded). And I wouldn't
be too surprised that A/V software also kept track of storage systems available
and whether they have been scanned or not. I don't think I would worry about
these -- but I might swap USB keys a couple times and wait to see if OSSEC
warns about the same keys (as I would expect it to).
| I hope that helps,
| -David
|
| Chuck Braden wrote:
| | I received a notification this morning on MY desktop regarding a hash
change. They seem to be for symantec AV registry keys. Nothing changed (that I
know of) on my system.. other than a USB thumb drive was ejected. Any idea
where I can get some more details on what this was flagging?
| |
| |>>> OSSEC HIDS <> 3/24/2008 10:04 AM >>>
| | OSSEC HIDS Notification.
| | 2008 Mar 24 10:04:11
| |
| | Received From: (jcbgateway) someIPhere->syscheck-registry
| | Rule: 550 fired (level 7) -> "Integrity checksum changed."
| | Portion of the log(s):
| |
| | Integrity checksum changed for:
'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum'
| | Old md5sum was: 'fbec8592b945ad389ff95b69990f7e0e'
| | New md5sum is : 'df381861064740470a5ac7518b3a166e'
| | Old sha1sum was: 'f5fca98d8bded7f4dd89597ebb9a8f46d898e255'
| | New sha1sum is : '07421beef1a6cd6e394618aa6055a909267a1f2a'
| |
| |
snip
|
- --
_______________________________________________
GPG (http://www.gnupg.org/) key available from:
http://www.kayakero.net/per/david/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFH6DRYCzuSgviBh00RAhEjAJ49eyHTlXEpNQ1cPqhOm7iGRd7mQQCdHvHX
JFn6zXmDv2MLqK+44vOHtTY=
=qil+
-----END PGP SIGNATURE-----
