No, I have not yet tested it (dealing with another ossec related issue
at the moment). What problem are you coming across?
Lars
On 3/28/2011 7:16 AM, Nate Woodward wrote:
Have you tested whether this rule works? I can't get it to function
correctly.
-----Original Message-----
From: Lars Oberg [mailto:[email protected]]
Sent: Friday, March 25, 2011 8:12 PM
To: [email protected]
Subject: Re: [ossec-list] Alerts on log file modified, but
not if added to
I believe you're referring to this rule (# 592 in my case):
<rule id="592" level="8">
<if_sid>500</if_sid>
<match>^ossec: File size reduced</match> <description>Log
file size reduced.</description> <group>attacks,</group> </rule>
I understand this correctly, I don't need to do anything
this rule is active by default!
Thanks,
Lars
PS. Of course this rule only provides limited protection
against tampering, since a smart hacker could easily make
sure the file is longer after he is done tampering with it.
On 3/25/2011 2:55 PM, Tanishk Lakhaani wrote:
ion of logs from the log file, an alert, with alert I'd 510 created
woith the heading -- "Log File Size Reduced". And adding if
any logs
is the same as modifying the logs...just put this log file
ubder the
syscheck part in the ossec agent.conf
