[ossec-list] Re: [Fwd: OSSEC Notification - (RPSSQL01) 10.10.1.253 - Alert level 7]

["Chad Robertson" <chadrober@xxxxxxxxx>]

I didn't see a response for this. 

I'm having the same issue.  Since upgrading to the latest version of OSSEC many of my servers are generating this alert.

See below.

 ----------

OSSEC HIDS Notification.

2007 Oct 02 05:11:12

 

Received From: (xxxxxx) x.x.x.x->syscheck

Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum."

Portion of the log(s):

 

File 'C:\WINDOWS/system32/inetsrv/History/MBSchema_0000030206_0000000000.xml' was deleted. Unable to retrieve checksum.

 

 

 

 --END OF NOTIFICATION

 

 

 

OSSEC HIDS Notification.

2007 Oct 02 05:11:12

 

Received From: (xxxxxx) x.x.x.x->syscheck

Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum."

Portion of the log(s):

 

File 'C:\WINDOWS/system32/inetsrv/History/MBSchema_0000030207_0000000000.xml' was deleted. Unable to retrieve checksum.

 

 

 

 --END OF NOTIFICATION

 

 

 

OSSEC HIDS Notification.

2007 Oct 02 05:11:12

 

Received From: (xxxxxx) x.x.x.x->syscheck

Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum."

Portion of the log(s):

 

File 'C:\WINDOWS/system32/inetsrv/History/MBSchema_0000030208_0000000000.xml' was deleted. Unable to retrieve checksum.

 

 

 

 --END OF NOTIFICATION

 Thanks,

-chad

---

From: ossec-list@xxxxxxxxxxxxxxxx [mailto:ossec-list@xxxxxxxxxxxxxxxx] On Behalf Of Clayton Dillard
Sent: Wednesday, August 29, 2007 4:55 PM
To: ossec-list
Subject: [ossec-list] [Fwd: OSSEC Notification - (RPSSQL01) 10.10.1.253 - Alert level 7]

 

Recently installed OSSEC agent on a Windows Server 2003 R2 box with MS SQL 2005 on it, as well as IIS.  Getting this alert.  Anyone got any insight as to whether this is normal as IIS gens backups of the config and purges old ones?

Thanks in advance,
Clayton Dillard


-------- Forwarded Message --------
From: OSSEC HIDS <ossecm@xxxxxxxxxxxxxxxxxxxxxxxxx>
To: ids-alerts@xxxxxxxxxxxxxxxxx
Subject: OSSEC Notification - (RPSSQL01) 10.10.1.253 - Alert level 7
Date: Wed, 29 Aug 2007 14:55:08 EDT

OSSEC HIDS Notification.

2007 Aug 29 14:54:56

 

Received From: (RPSSQL01) x.x.x.x->syscheck

Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum."

Portion of the log(s):

 

File 'C:\WINDOWS/system32/inetsrv/History/MBSchema_0000000088_0000000000.xml' was deleted. Unable to retrieve checksum.

 

 

 
 --END OF NOTIFICATION

 

 

 

OSSEC HIDS Notification.

2007 Aug 29 14:54:56

 

Received From: (RPSSQL01) x.x.x.x->syscheck

Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum."

Portion of the log(s):

 

File 'C:\WINDOWS/system32/inetsrv/History/MetaBase_0000000088_0000000000.xml' was deleted. Unable to retrieve checksum.

 

 

 
 --END OF NOTIFICATION

 

 

 

OSSEC HIDS Notification.

2007 Aug 29 14:54:56

 

Received From: (RPSSQL01) x.x.x.x->syscheck

Rule: 550 fired (level 7) -> "Integrity checksum changed."

Portion of the log(s):

 

Integrity checksum changed for: 'C:\WINDOWS/system32/inetsrv/MetaBase.xml'

Old md5sum was: 'ef3df1597cbd473280064e6b3d1cfc81'

New md5sum is : 'fbe18ed853cfc84594097085c21a2c36'

Old sha1sum was: '13613487f40d277c23438431269ae0e5fd761726'

New sha1sum is : '2169491d00a7f7b2c498767e9c351d8ed9abfe4b'

 

 

 

 --END OF NOTIFICATION

Clayton Dillard
Director of Information Technology
RPS Technology LLC
Tel: 919-319-4301 x205
Cell: 919-414-0265
Fax: 919-882-8261

The information in this e-mail, and any attachment therein, is confidential
and for use by the addressee only. If you are not the intended recipient,
please return the e-mail to the sender and delete it from your computer.
Although RPS Technology attempts to sweep e-mail and attachments for
viruses, it does not guarantee that either are virus-free and accepts no
liability for any damage sustained as a result of viruses.