I would love to see those. Can you guys share the entries that you are
seeing changing often? Or the rules
you added to ignore them?

To say the truth, I don't like any of the default integrity checking
rules (specially for Windows), so it might
be a good time to start improving/reworking them.

thanks,

--
Daniel B. Cid
http://dcid.me

On Wed, Apr 4, 2012 at 11:18 AM, Walden H. Leverich
<[email protected]> wrote:
> We're just getting started w/OSSEC and the false-positives in the registry 
> are indeed an issue. As is the scanning rules between 32-bit and 64-bit 
> Windows. So far we've just been adding rules to ignore changes to registry 
> keys that change on a regular basis like DHCP lease-times, VSS Diagnostics, 
> and some Symantec NAV keys.
>
> Any idea if there's any repository of these changes/ideas/rules anywhere?
>
> -Walden
>
> --
> Walden H Leverich III
> Tech Software &
> BEC - IRBManager
> (516) 627-3800 x3051
> [email protected]
> http://www.TechSoftInc.com
> http://www.IRBManager.com
>
> Quiquid latine dictum sit altum viditur.
> (Whatever is said in Latin seems profound.)
>
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On 
> Behalf Of Youngquist, Jason R.
> Sent: Wednesday, April 04, 2012 10:01 AM
> To: ossec-list
> Subject: [ossec-list] alerts on windows registry changes - how useful?
>
> We've had OSSEC up and running for awhile now, and quite often I get a number 
> of email alerts on Windows server registry changes.  Have people found these 
> windows registry change alerts to be useful in tracking down and 
> investigating issues that they've found?  Every couple months I go through 
> all of the false-positives and create entries to ignore them, but even after 
> I do this, I still continue to keep getting tons of registry changes from the 
> servers (usually when they are updated with Microsoft updates I get tons).  
> Was wondering if there might be a better way to still get registry changes 
> but reduce the amount of false positives that I get.
>
>
> Thanks.
> Jason Youngquist, CISSP
> Information Technology Security Engineer
> Technology Services
> Columbia College
> 1001 Rogers Street, Columbia, MO  65216
> (573) 875-7334
> [email protected]
> http://www.ccis.edu

Reply via email to