Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

OSSEC Reporting Registry Changes

Posted on 2014-04-14
3
Medium Priority
?
611 Views
Last Modified: 2014-04-15
I have gotten alerts for the following registry change a few nights in a row:

Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ASP.NET_2.0.50727\Names'

Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hidusb\Enum'


I've ran scans using multiple tools and cannot find anything irregular.  I've also reviewed all firewall rules for the offending machines and don't see anything unusual.  These machines have no outside internet so its easy to review.

Is it normal for these registry values to change?  Are they false alarms in OSSEC?  I cant seem to find much information about them.
0
Comment
Question by:AllDaySentry
  • 2
3 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40000595
What values is it saying changed? If it's only giving you a check-sum, then you need to write down what the values are from day to day...
C:\Users\rich>reg query HKLM\System\CurrentControlSet\Services\hidusb\Enum

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hidusb\Enum
    Count    REG_DWORD    0x3
    NextInstance    REG_DWORD    0x3
    1    REG_SZ    USB\VID_413C&PID_2011&MI_00\7&146842b9&0&0000
    0    REG_SZ    USB\VID_413C&PID_2011&MI_01\7&146842b9&0&0001
    2    REG_SZ    USB\VID_046D&PID_C05A\6&223d6cf2&0&4

Open in new window

This could be a USB printer rebooting, a wireless mouse going to sleep etc... OSSEC can false-positive, but it typically is just very verbose.
-rich
0
 

Author Comment

by:AllDaySentry
ID: 40002539
I only have the checksums at this point.  I didnt realize this value can change every time the USB device reboots or goes to sleep.  

That would make sense why I am seeing it now.  The attached devices are probably being powered off for weekly maintenance, etc.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 1000 total points
ID: 40002557
It never hurts to investigate, I may be wrong, but I've seen that before where a printer goes to sleep/reboots and ossec registers some change there.
-rich
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question