On Sun, Dec 25, 2011 at 11:07 AM, Aarif Khan <[email protected]> wrote: > Please ignore my previous email. I got email stating that you would return > on 27/12/2011. > Therfore, I tired doing few things again. I changed few setting in > ossec.conf but its nearly as same to default setting. > before I tried any of below commands I used > #touch /bin/ls > #touch /bin/ps > then i performed > #/var/ossec/bin/ossec-syscheckd start > then, i went to see the log file > #tail /var/ossec/logs/ossec.log > then i saw that it was scanning. I could see it in log file that it was > monitoring directories and then > started syscheck database and then started syscheck rootcheck scan > > The thing I don't understand is Unlike Aide and Samhain why am i not being > able to perform scan and then get notifications of changes that i had done. > I didn't even get any log message in alerts.log. > > I am confused. I just want to test if OSSEC can successfully detect > rootkits, file tampering and then report or notify when i perform scan. > I would really appreciate if anyone could help me. >
Did you modify the files, or just touch them? touch won't modify them, and won't trigger an alert. > > On Sun, Dec 25, 2011 at 12:51 PM, metal <[email protected]> wrote: >> >> Hello, I am newbie and i just installed OSSEC local in my VMware. >> I have read most of the rules and how it works but for time being I >> would like to try it on my default configuration. >> >> I have been trying to run a scan on my ubuntu server but i am not >> being able to do that. I have searched but i can only find it how do >> it on agent. >> >> I have installed a rootkit on my ubuntu server and i have modified ls. >> Now just want to detect those changes but I am not being able to run a >> scan which you evetually scan and notify me about changes. >> >> I have started my ossec-control and after that i'm hopeless i didn't >> understand what to do. I just find information on agents and server. >> Please do help me. > >
