On Wed, Oct 13, 2010 at 6:51 PM, Jefferson, Shawn <[email protected]> wrote: > First, I have had no luck trying to ignore the following on Windows: > > Received From: (SERVER01) 172.16.3.157->syscheck-registry > Rule: 550 fired (level 7) -> "Integrity checksum changed." > Portion of the log(s): > > Integrity checksum changed for: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}' > > No matter what I try to put in the registry ignore line, it always fires. > I’ve tried in the agent.conf and the local ossec.conf. Has anyone else had > this problem? Any suggestions? > > Secondly, does the output of a command work on Windows platforms? See the > blog post here: > http://www.ossec.net/dcid/?p=198 > > I’d like to implement this on windows for monitoring open ports, with > netstat. Do you need active response enabled for this? What version of > OSSEC supports this feature? >
It should work on Windows. It's supported in 2.5.1. Looks like it made the 2.4 release notes as well, so I'm guessing it works there. > -- > Shawn Jefferson, IT Security, GCIH, GCFA > British Columbia Ferry Services Inc. > Tel: (250) 978-1508 > Fax: (250) 405-3533 > [email protected] | www.bcferries.com > > >
