We're just getting started w/OSSEC and the false-positives in the registry are indeed an issue. As is the scanning rules between 32-bit and 64-bit Windows. So far we've just been adding rules to ignore changes to registry keys that change on a regular basis like DHCP lease-times, VSS Diagnostics, and some Symantec NAV keys.
Any idea if there's any repository of these changes/ideas/rules anywhere? -Walden -- Walden H Leverich III Tech Software & BEC - IRBManager (516) 627-3800 x3051 [email protected] http://www.TechSoftInc.com http://www.IRBManager.com Quiquid latine dictum sit altum viditur. (Whatever is said in Latin seems profound.) -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Youngquist, Jason R. Sent: Wednesday, April 04, 2012 10:01 AM To: ossec-list Subject: [ossec-list] alerts on windows registry changes - how useful? We've had OSSEC up and running for awhile now, and quite often I get a number of email alerts on Windows server registry changes. Have people found these windows registry change alerts to be useful in tracking down and investigating issues that they've found? Every couple months I go through all of the false-positives and create entries to ignore them, but even after I do this, I still continue to keep getting tons of registry changes from the servers (usually when they are updated with Microsoft updates I get tons). Was wondering if there might be a better way to still get registry changes but reduce the amount of false positives that I get. Thanks. Jason Youngquist, CISSP Information Technology Security Engineer Technology Services Columbia College 1001 Rogers Street, Columbia, MO 65216 (573) 875-7334 [email protected] http://www.ccis.edu
