On 05/02/2013 08:53 PM, Ruwan Geeganage wrote:
Thanks Michael.
Is there any solution for getting real time alerts for registry
modifications ?
Not exactly realtime, but better than a scheduled syscheck--I use this
in my agent.conf:
full_command
%WINDIR%\system32\reg.exe query
HK
Thanks Michael.
Is there any solution for getting real time alerts for registry
modifications ?
On Friday, May 3, 2013 2:06:04 AM UTC+5:30, Michael Starks wrote:
>
> On 02.05.2013 10:51, dan (ddp) wrote:
> > On Thu, May 2, 2013 at 11:39 AM, Ruwan Geeganage
> > > wrote:
> >> I'm not sure whet
On 02.05.2013 10:51, dan (ddp) wrote:
On Thu, May 2, 2013 at 11:39 AM, Ruwan Geeganage
wrote:
I'm not sure whether it works real time.
I also want to know that.
and I also want to configure if its possible.
Add the realtime option to your windows_registry setting. See if it
works. Report back
/www.ossec.net/doc/manual/syscheck/
> >> >>>
> >> >>> I also recommend turning auto_ignore off, so you will continue to
> be
> >> >>> notified after the 3rd change detection. Stick
> >> >>> no
> >> >&g
t;> >>> notified after the 3rd change detection. Stick
>> >>> no
>> >>> into the syscheck portion of your ossec.conf.
>> >>>
>> >>>
>> >>>
>> >>> You might also wish to look at the do_not_delay email option:
>&g
t; http://www.ossec.net/doc/syntax/head_ossec_config.email_alerts.html
> >>>
> >>>
> >>>
> >>> No idea about OSSIM. I don’t use it.
> >>>
> >>>
> >>>
> >>> From: ossec...@googlegroups.com [mailto:ossec.
t;>> You might also wish to look at the do_not_delay email option:
>>> http://www.ossec.net/doc/syntax/head_ossec_config.email_alerts.html
>>>
>>>
>>>
>>> No idea about OSSIM. I don’t use it.
>>>
>>>
>>>
>>> Fr
...@googlegroups.com [mailto:ossec...@googlegroups.com] *On
>> Behalf Of *Ruwan Geeganage
>> *Sent:* Wednesday, May 01, 2013 9:33 AM
>> *To:* ossec...@googlegroups.com
>> *Subject:* Re: [ossec-list] OSSEC windows agent - Registry modification
>> alerts
>>
>>
about OSSIM. I don’t use it.
>
>
>
> *From:* ossec...@googlegroups.com [mailto:
> ossec...@googlegroups.com ] *On Behalf Of *Ruwan Geeganage
> *Sent:* Wednesday, May 01, 2013 9:33 AM
> *To:* ossec...@googlegroups.com
> *Subject:* Re: [ossec-list] OSSEC windows agent
s.com
Subject: Re: [ossec-list] OSSEC windows agent - Registry modification alerts
Hi
Thanks for the quick reply.
I want to get informed as soon as the registry modification has done.
Can I get these notification by applying your modification ?
How can I do this in OSSIM ?
Hi
Thanks for the quick reply.
I want to get informed as soon as the registry modification has done.
Can I get these notification by applying your modification ?
How can I do this in OSSIM ?
What correlation directive should I use ?
Thank you so mcuh
On Wednesday, May 1, 2013 9:03:14 PM UTC+5:
The last OSSEC release made all registry changes drop below the default
email threshold, even useful ones like this. Add something to
local_rules.xml to selectively elevate the Level, like this:
594
\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
A change has been mad
12 matches
Mail list logo
