Hi Daniel, Hi List I tried it and it doesn't work. Maybe I am just to silly... What is the right syntax for this? I used the syntax from the manual pages.
What I did: 1) Created /tmp/checkme/one, two, three 2) Added this rule to the local_rules: <rule id="100122" level="0"> <if_group>syscheck</if_group> <time>17:00-17:10</time> <weekday>monday</weekday> <description>Ignore syscheck during that time</description> </rule> 3) Changed syscheck time in ossec.conf to 17:15 (<scan_time>17:15</ scan_time>), added /tmp/checkme for syschecking, restarted ossec. 4) I manually changed the files one and two at 17:01 (should be ignored) 5) ... changed file three at 17:11 (should be detected) What happened: Syscheck runs at 17:25 (Why not 17:15?): ** Alert 1215444332.2858: mail - ossec,syscheck, 2008 Jul 07 17:25:32 machine->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' Src IP: (none) User: (none) Integrity checksum changed for: '/tmp/checkme/one' ... ** Alert 1215444332.3335: mail - ossec,syscheck, 2008 Jul 07 17:25:32 machine->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' Src IP: (none) User: (none) Integrity checksum changed for: '/tmp/checkme/two' ... ** Alert 1215444332.3812: mail - ossec,syscheck, 2008 Jul 07 17:25:32 machine->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' Src IP: (none) User: (none) Integrity checksum changed for: '/tmp/checkme/three' ... So it is not relevant at which time the file was changed. It is only relevant, when syscheck detects the changed files. Is this correct? If yes, this is a bug from my point of view. Thanks & Regards, Matthias
