Hi Roald,
This is only available in the latest snapshot. http://www.ossec.net/files/snapshots/ossec-hids-060912.tar.gz If you install it, you can give these two extra options at the ossec.conf: "auto_ignore" and "alert_new_files". The first one allows you to enable or disable the auto_ignore and the second one allows you to alert on new files. To disable the auto_ignore, you would do: <syscheck> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <auto_ignore>no</auto_ignore> </syscheck> Hope it helps, -- Daniel B. Cid dcid ( at ) ossec.net On 9/11/06, Roald <[EMAIL PROTECTED]> wrote:
Hi! I can't seem to get this to work? Can you give me an exact example of how to specify this in ossec.conf? Thank you! -- Regard Roald Amundsen On 8/17/06, Daniel Cid <[EMAIL PROTECTED]> wrote: > Hi Roald, > > Unfortunately right now you can not change this behavior (not in the > config). However > I will fix that for the next version. I also opened a bug (in our new > bugzilla) about it.. > > http://www.ossec.net/bugs/show_bug.cgi?id=2 > > However, if you go to src/analysisd/decoders/syscheck.c and on line 252, > remove the return statement (or comment it out) you will always get the > message (in the message it will say it will ignore but will not). > > Change from: > > if(p >= 3) > { > /* Ignoring it.. */ > return; > } > > > To: > > if(p >= 3) > { > /* Ignoring it.. */ > //return; > } > > > *and recompiles the code (just typing make under ./src/analysisd and copying the > created ossec-analysisd to /var/ossec/bin) will work. > > *this change is only necessary in the server. > > Hope it helps. > > Daniel > > On 8/16/06, Roald <[EMAIL PROTECTED]> wrote: > > Hi! > > > > I want to know about all changes in some files. How can I stop ignoring > > after it has changes the third time? > > > > (I have a server that contains some scripts that several people makes > > changes in, and I want to get notified every time someone changes anything) > > > > -- > > Roald Martin Amundsen > -- Roald Martin Amundsen
