I would love to see those. Can you guys share the entries that you are seeing changing often? Or the rules you added to ignore them?
To say the truth, I don't like any of the default integrity checking rules (specially for Windows), so it might be a good time to start improving/reworking them. thanks, -- Daniel B. Cid http://dcid.me On Wed, Apr 4, 2012 at 11:18 AM, Walden H. Leverich <[email protected]> wrote: > We're just getting started w/OSSEC and the false-positives in the registry > are indeed an issue. As is the scanning rules between 32-bit and 64-bit > Windows. So far we've just been adding rules to ignore changes to registry > keys that change on a regular basis like DHCP lease-times, VSS Diagnostics, > and some Symantec NAV keys. > > Any idea if there's any repository of these changes/ideas/rules anywhere? > > -Walden > > -- > Walden H Leverich III > Tech Software & > BEC - IRBManager > (516) 627-3800 x3051 > [email protected] > http://www.TechSoftInc.com > http://www.IRBManager.com > > Quiquid latine dictum sit altum viditur. > (Whatever is said in Latin seems profound.) > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Youngquist, Jason R. > Sent: Wednesday, April 04, 2012 10:01 AM > To: ossec-list > Subject: [ossec-list] alerts on windows registry changes - how useful? > > We've had OSSEC up and running for awhile now, and quite often I get a number > of email alerts on Windows server registry changes. Have people found these > windows registry change alerts to be useful in tracking down and > investigating issues that they've found? Every couple months I go through > all of the false-positives and create entries to ignore them, but even after > I do this, I still continue to keep getting tons of registry changes from the > servers (usually when they are updated with Microsoft updates I get tons). > Was wondering if there might be a better way to still get registry changes > but reduce the amount of false positives that I get. > > > Thanks. > Jason Youngquist, CISSP > Information Technology Security Engineer > Technology Services > Columbia College > 1001 Rogers Street, Columbia, MO 65216 > (573) 875-7334 > [email protected] > http://www.ccis.edu
