[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] Registry monitoring on ossec (input request)

To: "OSSEC Users List" <ossec-list@xxxxxxxxx>, ossec-dev@xxxxxxxxx
Subject: [ossec-dev] Registry monitoring on ossec (input request)
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Tue, 2 Jan 2007 22:30:53 -0400
Content-disposition: inline
Content-transfer-encoding: 7bit


Hello everyone,

I just completed adding support for monitoring the Windows registry on
ossec. It seems to be fairly stable right now and hopefully a beta version
will be available soon (lots of tests will be required).

The configuration will have the following options available: (inside
the syscheck area):

<windows_registry>HKEY_LOCAL_MACHINE,HKEY_LOCAL_MACHINE\Software,
HKEY_USERS\Example</windows_registry>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft<registry_ignore>

Where the first option is a list (comma separated) of registry entries
to monitor and
the second is a list of entries to ignore.

A question now for you guys (Windows users):

-Which registry entries should we monitor by default?

I was thinking on everything at HKEY_LOCAL_MACHINE\SYSTEM,
HKEY_LOCAL_MACHINE\SECURITY and HKEY_LOCAL_MACHINE\SAM.

Is there anything else worth checking too? Please let me know your
comments...

*btw, next version (1.0) is comming soon...

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

Follow-Ups:
- [ossec-dev] Re: [ossec-list] Registry monitoring on ossec (input request)
  - From: Michael Starks

Next by Date: [ossec-dev] Re: [ossec-list] Registry monitoring on ossec (input request)
Next by thread: [ossec-dev] Re: [ossec-list] Registry monitoring on ossec (input request)
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.