Hi Scott, Thanks for the suggestions. Make sure you post any suggestion you have (including these) in our bugzilla ( http://www.ossec.net/bugs/ ), so we can consider them for our next release.
As far as #2, we can do that using the active-responses, where any script can be run when a rule is fired (by default we can block ip addresses in the firewall, or disable user accounts). #3 is also easily done with the rules, where you can ignore or increase the severity based on the agent that generated it. For #4, I couldn't understand what you mean... We already do md5+sha1 of the registry and system files... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, May 9, 2008 at 4:05 AM, Scott Minns <[EMAIL PROTECTED]> wrote: > > Dear all, > > I have just started testing ossec for deployment at work to our client > machines, and we are very impressed so far. There are however a few > useful features lacking from/that I can't find in the Windows agent that > would be very handy. Does anyone know if they are available or planned > for future releases? > > 1. The ability to run the agent hidden and prevent the process from > being closed so we can run it on an unprivileged user and be sure it's > running. > 2. The ability to get the agent to fire not just an e-mail, but also to > run a remote script on the client if an event is triggered, for example > agent detects skype.exe running, it sends an e-mail to our helpdesk and > runs a script to tell the user and close skype. This also allows for > quick fixes to stop a user running a vulnerable application, active > response, if you like. > 3. Exceptions, so that we can exempt certain servers/clients from some > rules. > 4. md5 file checking, to aid registry version checking. We sometimes > md5sum the exe of a program we have installed if it doesn't leave a good > reg key behind to check. It is also handy to checksum so exe's to make > sure that they haven't been tampered with. > > Thanks for all the great work, > > Best Regards > Scott Minns > -- > This e-mail and any attachments are intended for the addressee only and may > be confidential. If you are not the intended recipient, please advise the > sender as soon as practicable and delete the e-mail from your system. > > The University of Chichester is a company limited by guarantee, registered in > England and Wales. Registration number 4740553. The registered office is > College Lane, Chichester, West Sussex, PO19 6PE. >
