Walden, I saw your earlier email asking a similiar question, and although I don't know of any repository, let me know if you find / create one. I just started with OSSEC and have a few rules for Server 2008 specific alerts, but really need some more.
Jason, I have been meaning to chase down some of the registry changes that aren't much of a concern, but haven't gotten around to it. Not to mention routine computer account password changes. I would be really interested in what you come up with. Thanks, Mike Scott On Wed, Apr 4, 2012 at 8:18 AM, Walden H. Leverich <[email protected]>wrote: > We're just getting started w/OSSEC and the false-positives in the registry > are indeed an issue. As is the scanning rules between 32-bit and 64-bit > Windows. So far we've just been adding rules to ignore changes to registry > keys that change on a regular basis like DHCP lease-times, VSS Diagnostics, > and some Symantec NAV keys. > > Any idea if there's any repository of these changes/ideas/rules anywhere? > > -Walden > > -- > Walden H Leverich III > Tech Software & > BEC - IRBManager > (516) 627-3800 x3051 > [email protected] > http://www.TechSoftInc.com > http://www.IRBManager.com > > Quiquid latine dictum sit altum viditur. > (Whatever is said in Latin seems profound.) > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Youngquist, Jason R. > Sent: Wednesday, April 04, 2012 10:01 AM > To: ossec-list > Subject: [ossec-list] alerts on windows registry changes - how useful? > > We've had OSSEC up and running for awhile now, and quite often I get a > number of email alerts on Windows server registry changes. Have people > found these windows registry change alerts to be useful in tracking down > and investigating issues that they've found? Every couple months I go > through all of the false-positives and create entries to ignore them, but > even after I do this, I still continue to keep getting tons of registry > changes from the servers (usually when they are updated with Microsoft > updates I get tons). Was wondering if there might be a better way to still > get registry changes but reduce the amount of false positives that I get. > > > Thanks. > Jason Youngquist, CISSP > Information Technology Security Engineer > Technology Services > Columbia College > 1001 Rogers Street, Columbia, MO 65216 > (573) 875-7334 > [email protected] > http://www.ccis.edu >
