That's right. OSSEC can't tell what changed, nor it could. Basicly a "critical" file isn't supposed to change unless there is a good reason for that (e.g. an upgrade).
On 11/06/2009 12:05, Andre Pawlowski wrote: > Hi > > I don't think so. Afaik OSSEC uses hashes to discover the change and not > the whole old file. So OSSEC discovers only that a file has changed (not > what has changed). > > logos mentos wrote: >> Hi, >> >> If I get an alert that a file has changed using OSSEC, how can I view >> the before-and-after of the file? >> >> For Example, something like: >> >> File changed - *%systemroot%\system32\drivers\etc\hosts* >> >> /_Content Before:_/ >> >> 127.0.0.1 localhost >> >> /_Content After:_/ >> >> 127.0.0.1 localhost >> /*196.77.23.1 spam.testsite.com<http://spam.testsite.com>*/ >> >> Does OSSEC have this feature? >> >> Thanks! >> >> Logos >
