NTFS Alternate data stream found

[Qasim Azam]

Hi Guys,

I'm getting  so many alerts for NTFS Alternate data stream found. I want to ignore these type of alerts. Can you guide me how can i ignore these alerts?

NTFS Alternate data stream found: 'C:\Program Files\Zabbix Agent:Win32App_1'. 

Thanks 

[Victor M Fernandez-Castro]

Hi Qasim,

I guess the alerts you're receiving are like this one:

** Alert 1609954424.11479: - ossec,rootcheck,gdpr_IV_35.7.d,
2021 Jan 06 18:33:44 groovy->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
NTFS Alternate data stream found: 'C:\some-file'. Possible hidden content.
title: NTFS Alternate data stream found: 'C:\some-file'.

Alerts from the rootkit detector (Rootcheck) have rule ID 510. Their message is in a field called "title". So we need to create a rule with parent 510 and matching the beginning of the message, then we set the level of that rule to 0, meaning that it should not produce an alert.

Copy this rule into /var/ossec/etc/rules/local_rules.xml, or any other file in the same directory:

<group name="ossec,local">
  <rule id="100510" level="0">
    <if_sid>510</if_sid>
    <field name="title">^NTFS Alternate data stream found</field>
    <description>NTFS alternate data stream found.</description>
    <group>rootcheck,gdpr_IV_35.7.d,</group>
  </rule>
</group>

Then, restart your manager. These alerts should not appear any more!

Hope it helps.

Victor M. Fernandez-Castro 
Director of engineering | vic...@wazuh.com

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/27f81a1e-efdc-43e7-a565-6865a85fbde5n%40googlegroups.com.