First, I have had no luck trying to ignore the following on Windows:
Received From: (SERVER01) 172.16.3.157->syscheck-registry
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Portion of the log(s):
Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}'
No matter what I try to put in the registry ignore line, it always fires. I've
tried in the agent.conf and the local ossec.conf. Has anyone else had this
problem? Any suggestions?
Secondly, does the output of a command work on Windows platforms? See the blog
post here:
http://www.ossec.net/dcid/?p=198
I'd like to implement this on windows for monitoring open ports, with netstat.
Do you need active response enabled for this? What version of OSSEC supports
this feature?
--
Shawn Jefferson, IT Security, GCIH, GCFA
British Columbia Ferry Services Inc.
Tel: (250) 978-1508
Fax: (250) 405-3533
[email protected]<mailto:[email protected]> |
www.bcferries.com<http://www.bcferries.com>
