The server that has the old files is a Windows server. The OSSEC server is a linux. So I'm not sure if that will fall under pre- linking.
On Jun 10, 2:03 pm, "dan (ddp)" <[email protected]> wrote: > Windows or *nix? > If linux, pre-linking maybe? > > > > On Fri, Jun 10, 2011 at 2:49 PM, Pat <[email protected]> wrote: > > Dan, > > > Thank you for replying. No, the agent has been connected for the past > > 2 weeks and I've been letting them run. I wanted to validate the > > alerts that were coming over and I found that when I went to that > > server, the dates of these files went back quite a while ago. The > > agent tells us that the file was modified the day it alerted us, > > however, the date the file was created/modified on the server is still > > a couple years ago. I have also looked into anyone who is doing work > > on the server, and no one has touched these files. > > > On Jun 10, 12:52 pm, "dan (ddp)" <[email protected]> wrote: > >> Is it possible that agent hasn't been connected to the manager for a while? > >> I don't particularly trust the file dates on the agents. If someone is > >> messing around they can easily change those dates. > > >> On Wed, Jun 8, 2011 at 4:22 PM, Pat <[email protected]> wrote: > >> > Hello All, > > >> > I reviewed some of the OSSEC alerts that I am getting about integrity > >> > checksums as well as new file alerts and noticed that the dates on the > >> > files were from a couple years ago (for new file alerts. the > >> > integrity checksum one was a little less than a month ago). Is there > >> > any reason that it would be doing this? I am using realtime="yes", so > >> > I would assume that if I received an alert it was because the > >> > integrity checksum was changed sometime today, or if a new file was > >> > added it would have the date created/modified as of today. > > >> > Any thoughts? > > >> > Thanks in advance.
