Hi I don't think so. Afaik OSSEC uses hashes to discover the change and not the whole old file. So OSSEC discovers only that a file has changed (not what has changed).
logos mentos wrote: > Hi, > > If I get an alert that a file has changed using OSSEC, how can I view > the before-and-after of the file? > > For Example, something like: > > File changed - *%systemroot%\system32\drivers\etc\hosts* > > /_Content Before:_/ > > 127.0.0.1 localhost > > /_Content After:_/ > > 127.0.0.1 localhost > /*196.77.23.1 spam.testsite.com <http://spam.testsite.com>*/ > > Does OSSEC have this feature? > > Thanks! > > Logos -- Andre Pawlowski ------------------------------------------------------------------- Der Mensch hat zwei Beine und zwei Überzeugungen: eine, wenns ihm gut geht, und eine, wenns ihm schlecht geht. Die letztere heißt Religion. -Kurt Tucholsky
