Solved

OSSEC Reporting Registry Changes

Posted on 2014-04-14
3
552 Views
Last Modified: 2014-04-15
I have gotten alerts for the following registry change a few nights in a row:

Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ASP.NET_2.0.50727\Names'

Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hidusb\Enum'


I've ran scans using multiple tools and cannot find anything irregular.  I've also reviewed all firewall rules for the offending machines and don't see anything unusual.  These machines have no outside internet so its easy to review.

Is it normal for these registry values to change?  Are they false alarms in OSSEC?  I cant seem to find much information about them.
0
Comment
Question by:AllDaySentry
  • 2
3 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40000595
What values is it saying changed? If it's only giving you a check-sum, then you need to write down what the values are from day to day...
C:\Users\rich>reg query HKLM\System\CurrentControlSet\Services\hidusb\Enum

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hidusb\Enum
    Count    REG_DWORD    0x3
    NextInstance    REG_DWORD    0x3
    1    REG_SZ    USB\VID_413C&PID_2011&MI_00\7&146842b9&0&0000
    0    REG_SZ    USB\VID_413C&PID_2011&MI_01\7&146842b9&0&0001
    2    REG_SZ    USB\VID_046D&PID_C05A\6&223d6cf2&0&4

Open in new window

This could be a USB printer rebooting, a wireless mouse going to sleep etc... OSSEC can false-positive, but it typically is just very verbose.
-rich
0
 

Author Comment

by:AllDaySentry
ID: 40002539
I only have the checksums at this point.  I didnt realize this value can change every time the USB device reboots or goes to sleep.  

That would make sense why I am seeing it now.  The attached devices are probably being powered off for weekly maintenance, etc.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 40002557
It never hurts to investigate, I may be wrong, but I've seen that before where a printer goes to sleep/reboots and ossec registers some change there.
-rich
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Every computer eventually fails. When that happens, your valuable data is only as safe as your current backup.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now