On 04/04/2012 09:00 AM, Youngquist, Jason R. wrote:
We've had OSSEC up and running for awhile now, and quite often I get a number
of email alerts on Windows server registry changes. Have people found these
windows registry change alerts to be useful in tracking down and investigating
issues that they've found? Every couple months I go through all of the
false-positives and create entries to ignore them, but even after I do this, I
still continue to keep getting tons of registry changes from the servers
(usually when they are updated with Microsoft updates I get tons). Was
wondering if there might be a better way to still get registry changes but
reduce the amount of false positives that I get.
Hello Jason,
I don't find them very useful at all, especially since you don't know
what changed. There are a few areas that malware likes to target that
are good to know about, such as when the Windows Security Center gets
disabled. Changes to the run key are interesting. Changes to the
services area can be interesting but only if properly filtered.
I agree with Daniel--this is an area that needs work.
-Mike
