[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: [Fwd: OSSEC Notification - (RPSSQL01) 10.10.1.253 - Alert level 7]

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: [Fwd: OSSEC Notification - (RPSSQL01) 10.10.1.253 - Alert level 7]
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Tue, 2 Oct 2007 21:45:05 -0300
Authentication-results: mx.google.com; spf=pass (google.com: domain of daniel.cid@xxxxxxxxx designates 64.233.166.181 as permitted sender) smtp.mail=daniel.cid@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=baUGQDN0XeLLJQ/eEjl4lQxvBd2y+BQsY+SdJeKqmHE=; b=BPHXWmETRC37I4ehQIIeASrLMZ3O+GyIBZ+xdiVl7F6Cls6WihrClwTdBPyliKRI45Y/nheNL+MUpZS2iCJhvgOmJPkL/lOTau7lwuzpW6VLRG3Bw+7S2Ps2E70siNADexePb/74Ow7fbSDdGNz8EqFWtrDR7WITjRaDra72qVY=

Hi Chad,

I would suggest ignoring this directory on the ossec server. Just add
an additional line
to the syscheck ignore:

<ignore>C:\WINDOWS/system32/inetsrv/History</ignore>

It should solve it. For the next version, I will make sure it comes
ignored by default...

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net


On 10/2/07, Chad Robertson <chadrober@xxxxxxxxx> wrote:
>
>
> I didn't see a response for this.
>
> I'm having the same issue.  Since upgrading to the latest version of OSSEC many of my servers are generating this alert.
>
> See below.
>
>  ----------
>
> OSSEC HIDS Notification.
>
> 2007 Oct 02 05:11:12
>
>
>
> Received From: (xxxxxx) x.x.x.x->syscheck
>
> Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum."
>
> Portion of the log(s):
>
>
>
> File 'C:\WINDOWS/system32/inetsrv/History/MBSchema_0000030206_0000000000.xml' was deleted. Unable to retrieve checksum.
>
>
>
>
>
>
>
>  --END OF NOTIFICATION
>
>
>
>
>
>
>
> OSSEC HIDS Notification.
>
> 2007 Oct 02 05:11:12
>
>
>
> Received From: (xxxxxx) x.x.x.x->syscheck
>
> Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum."
>
> Portion of the log(s):
>
>
>
> File 'C:\WINDOWS/system32/inetsrv/History/MBSchema_0000030207_0000000000.xml' was deleted. Unable to retrieve checksum.
>
>
>
>
>
>
>
>  --END OF NOTIFICATION
>
>
>
>
>
>
>
> OSSEC HIDS Notification.
>
> 2007 Oct 02 05:11:12
>
>
>
> Received From: (xxxxxx) x.x.x.x->syscheck
>
> Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum."
>
> Portion of the log(s):
>
>
>
> File 'C:\WINDOWS/system32/inetsrv/History/MBSchema_0000030208_0000000000.xml' was deleted. Unable to retrieve checksum.
>
>
>
>
>
>
>
>  --END OF NOTIFICATION Thanks,
>
> -chad
>
>
>
>   ________________________________

>
> From: ossec-list@xxxxxxxxxxxxxxxx  [mailto:ossec-list@xxxxxxxxxxxxxxxx] On Behalf Of Clayton Dillard
>  Sent: Wednesday, August 29, 2007 4:55 PM
>  To: ossec-list
>  Subject: [ossec-list] [Fwd: OSSEC Notification - (RPSSQL01) 10.10.1.253 - Alert level 7]
>
>
>
> Recently installed OSSEC agent on a Windows Server 2003 R2 box with MS SQL 2005 on it, as well as IIS.  Getting this alert.  Anyone got any insight as to whether this is normal as IIS gens backups of the config and purges old ones?
>
>  Thanks in advance,
>  Clayton Dillard
>
>
>  -------- Forwarded Message --------
>  From: OSSEC HIDS <ossecm@xxxxxxxxxxxxxxxxxxxxxxxxx>
>  To: ids-alerts@xxxxxxxxxxxxxxxxx
>  Subject: OSSEC Notification - (RPSSQL01) 10.10.1.253 - Alert level 7
>  Date: Wed, 29 Aug 2007 14:55:08 EDT
> OSSEC HIDS Notification.
> 2007 Aug 29 14:54:56
>
> Received From: (RPSSQL01) x.x.x.x->syscheck
> Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum."
>
> Portion of the log(s):
>
> File 'C:\WINDOWS/system32/inetsrv/History/MBSchema_0000000088_0000000000.xml' was deleted. Unable to retrieve checksum.
>
>
>
>   --END OF NOTIFICATION
>
>
>
> OSSEC HIDS Notification.
> 2007 Aug 29 14:54:56
>
> Received From: (RPSSQL01) x.x.x.x->syscheck
> Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum."
>
> Portion of the log(s):
>
> File 'C:\WINDOWS/system32/inetsrv/History/MetaBase_0000000088_0000000000.xml' was deleted. Unable to retrieve checksum.
>
>
>
>   --END OF NOTIFICATION
>
>
>
> OSSEC HIDS Notification.
> 2007 Aug 29 14:54:56
>
> Received From: (RPSSQL01) x.x.x.x->syscheck
> Rule: 550 fired (level 7) -> "Integrity checksum changed."
>
> Portion of the log(s):
>
> Integrity checksum changed for: 'C:\WINDOWS/system32/inetsrv/MetaBase.xml'
> Old md5sum was: 'ef3df1597cbd473280064e6b3d1cfc81'
> New md5sum is : 'fbe18ed853cfc84594097085c21a2c36'
>
> Old sha1sum was: '13613487f40d277c23438431269ae0e5fd761726'
> New sha1sum is : '2169491d00a7f7b2c498767e9c351d8ed9abfe4b'
>
>
>
>  --END OF NOTIFICATION
>
>
>
>
>
>
>
>
>    Clayton Dillard
>    Director of Information Technology
>    RPS Technology LLC
>    Tel: 919-319-4301 x205
>    Cell: 919-414-0265
>    Fax: 919-882-8261
>
>    The information in this e-mail, and any   attachment therein, is confidential
>    and for use by the addressee only. If you   are not the intended recipient,
>    please return the e-mail to the sender and   delete it from your computer.
>    Although RPS Technology attempts to sweep   e-mail and attachments for
>    viruses, it does not guarantee that either   are virus-free and accepts no
>    liability for any damage sustained as a   result of viruses.
>
>

References:
- [ossec-list] Re: [Fwd: OSSEC Notification - (RPSSQL01) 10.10.1.253 - Alert level 7]
  - From: Chad Robertson

Prev by Date: [ossec-list] Excluding certain source IPs
Next by Date: [ossec-list] Re: Syscheck enhancements
Previous by thread: [ossec-list] Re: [Fwd: OSSEC Notification - (RPSSQL01) 10.10.1.253 - Alert level 7]
Next by thread: [ossec-list] Syscheck enhancements
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.