I'm new to OSSEC so please point me to documentation I'm missing, but... Is there a repository of community rules maintained anywhere? Specifically I'm looking for the additional rules necessary for 64-bit Windows syschecks. The "native" rules are fine, but since the agent is a 32-bit app its requests to /system32 are actually redirected to /SysWOW64 and the agent never actually looks in the real /system32 directory. It would seem that copying all the /system32 rules (since you still need them) and also checking /sysnative would work, but I don't want to reinvent the wheel. And I haven't even gotten my head around how that effects the registry.
Thx, -Walden -- Walden H Leverich III Tech Software & BEC - IRBManager (516) 627-3800 x3051 [email protected]<mailto:[email protected]> http://www.TechSoftInc.com<http://www.techsoftinc.com/> http://www.IRBManager.com<http://www.irbmanager.com/> Quiquid latine dictum sit altum viditur. (Whatever is said in Latin seems profound.)
