I'd have to double-check, but I don't remember seeing any alerts for the registry events I've setup to ignore.
I think the sregex type might be best: <registry_ignore type="sregex">^HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions</registry_ignore> On Fri, Oct 22, 2010 at 1:09 PM, Jefferson, Shawn <[email protected]> wrote: > Any further news on this? > > Did you find a regex that would work for ignoring this registry entry (which > changes frequently): > > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > NT\CurrentVersion\Winlogon\GPExtensions</registry_ignore> > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Saturday, October 16, 2010 11:02 AM > To: [email protected] > Subject: Re: [ossec-list] Two Questions > > On Sat, Oct 16, 2010 at 1:52 PM, dan (ddp) <[email protected]> wrote: >> On Fri, Oct 15, 2010 at 12:59 PM, dan (ddp) <[email protected]> wrote: >>> On Fri, Oct 15, 2010 at 12:51 PM, Jefferson, Shawn >>> <[email protected]> wrote: >>>> Will that work like that without the type="sregex" ? >>>> >>> >>> I don't know. :) I don't have to deal with very many Windows machines, >>> so this is experimentation for me. >>> Hopefully I'll get a chance to look into it tonight. >>> >> >> I just got an alert for one of the registry entries I tried ignoring >> (using the sregex). Trying something else now I guess. >> > > Oops, that one was commented out. False alarm. > >>>> -----Original Message----- >>>> From: [email protected] [mailto:[email protected]] On >>>> Behalf Of dan (ddp) >>>> Sent: Friday, October 15, 2010 9:24 AM >>>> To: [email protected] >>>> Subject: Re: [ossec-list] Two Questions >>>> >>>> On Fri, Oct 15, 2010 at 12:09 PM, Jefferson, Shawn >>>> <[email protected]> wrote: >>>>> Yes, I did try it once with just "GPExtensions", but that may have been >>>>> before I realized you needed to restart ossec for it to take effect. >>>>> >>>>> I'll try it again and see what happens. >>>>> >>>> >>>> I've setup a couple of ignores on my ossec manager using the full >>>> registry entry up until that last slash. I haven't had a chance to see >>>> if it's working yet. >>>> Example: >>>> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows >>>> NT\CurrentVersion\Winlogon\GPExtensions</registry_ignore> >>>> >>>>> -----Original Message----- >>>>> From: [email protected] [mailto:[email protected]] On >>>>> Behalf Of dan (ddp) >>>>> Sent: Thursday, October 14, 2010 6:10 PM >>>>> To: [email protected] >>>>> Subject: Re: [ossec-list] Two Questions >>>>> >>>>> On Thu, Oct 14, 2010 at 4:02 PM, Jefferson, Shawn >>>>> <[email protected]> wrote: >>>>>> Hi, >>>>>> >>>>>> It doesn't seem to work in Windows with this in the ossec.conf: >>>>>> >>>>>> <localfile> >>>>>> <log_format>full_command</log_format> >>>>>> <command>netstat -an | find "LISTEN"</command> >>>>>> </localfile> >>>>>> >>>>>> Nothing in the ossec.log to say it's going to monitor this "localfile". >>>>>> >>>>>> I'm running 2.4.1 on server and agent. >>>>>> >>>>>> What about the registry ignore problem? I've tried to ignore >>>>>> "GPExtensions\{" and the "^'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows >>>>>>> NT\CurrentVersion\Winlogon\GPExtensions\{" and neither one has worked, >>>>>>> still getting alerts on this from all servers. >>>>>> >>>>>> Someone else must have run into this and setup an ignore statement that >>>>>> works? >>>>>> >>>>> >>>>> I'm testing it right now, but have you tried it without the trailing >>>>> "\{"? I haven't had much of a need to do registry ignores. >>>>> >>>> >>> >> >
