Sure, I am just in process of it. Will try to capture deleted files through a script. Give me a day or two.
On Wednesday, 3 October 2012 21:16:13 UTC+5:30, dan (ddpbsd) wrote: > > On Wed, Oct 3, 2012 at 11:18 AM, vicky ... <[email protected]<javascript:>> > wrote: > > Hi All, > > > > I am also facing the same problem. Seems like I need to create a custom > > script to check deleted files and alert. > > > > Regards, > > Vikas > > > > Or you could track down the problem and help us fix it. It's tough to > fix a problem we can't reproduce, especially when everyone who can > isn't interested in helping. > > > > > On Thursday, 19 July 2012 20:29:49 UTC+5:30, dan (ddpbsd) wrote: > >> > >> On Thu, Jul 19, 2012 at 10:50 AM, Wagner Thomas > >> <[email protected]> wrote: > >> > 1) I created a new file. > >> > 2) I started the syscheck and waited until it ran through. (new file > >> > alert was sent) > >> > 3) I deleted the new and started the syscheck again afterwards and > after > >> > it ran through I still haven't received an alert. > >> > > >> > >> It's working for me. Check alerts.log to make sure it's not being > >> triggered. > >> Check the syscheck db to see what the entries for the file look like > >> (both after step 2 and after step 3(4)). > >> > >> > -----Ursprüngliche Nachricht----- > >> > Von: [email protected] [mailto:[email protected]] Im > >> > Auftrag von dan (ddp) > >> > Gesendet: Donnerstag, 19. Juli 2012 16:48 > >> > An: [email protected] > >> > Betreff: Re: [ossec-list] Detect Deleted Files > >> > > >> > On Thu, Jul 19, 2012 at 10:16 AM, Wagner Thomas < > [email protected]> > >> > wrote: > >> >> I've now tried it again, and again (I tried it at lot of times > before) > >> >> I got no alert caused by a deleted file. > >> >> So if someone has an idea where my mistake could be, please be so > kind > >> >> and inform me. > >> >> > >> >> Thank you in anticipation. > >> >> > >> >> Best regards > >> >> > >> > > >> > How did you test it? > >> > > >> >> -----Ursprüngliche Nachricht----- > >> >> Von: [email protected] [mailto:[email protected]] > >> >> Im Auftrag von dan (ddp) > >> >> Gesendet: Donnerstag, 19. Juli 2012 15:42 > >> >> An: [email protected] > >> >> Betreff: Re: [ossec-list] Detect Deleted Files > >> >> > >> >> On Thu, Jul 19, 2012 at 9:29 AM, Wagner Thomas < > [email protected]> > >> >> wrote: > >> >>> Hi! > >> >>> > >> >>> > >> >>> > >> >>> I’m currently testing OSSEC 2.6 on centOS and basically it works > fine. > >> >>> > >> >>> Setup was easy to do and also the configuration of manager and > agent > >> >>> went fine. > >> >>> > >> >>> > >> >>> > >> >>> My problem now is, that I don’t get alerts if files are deleted > >> >>> (added and changed files are reported correctly). > >> >>> > >> >>> > >> >>> > >> >>> This is my rule for deleted files (nothing changed after the > >> >>> installation): > >> >>> > >> >>> > >> >>> > >> >>> <rule id="553" level="7"> > >> >>> > >> >>> <category>ossec</category> > >> >>> > >> >>> <decoded_as>syscheck_deleted</decoded_as> > >> >>> > >> >>> <description>File deleted. Unable to retrieve > >> >>> checksum.</description> > >> >>> > >> >>> <group>syscheck,</group> > >> >>> > >> >>> </rule> > >> >>> > >> >>> > >> >>> > >> >>> Should it work with that rule or do I have to configure something > >> >>> else additionally? > >> >>> > >> >>> > >> >>> > >> >>> I hope someone knows that problem and can help me! > >> >>> > >> >>> > >> >>> > >> >>> Best regards, > >> >>> > >> >>> Thomas > >> >>> > >> >>> > >> >>> > >> >>> > >> >>> > >> >>> > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" > >> >>> *"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien > >> >>> Handelsgericht Wien, FN 79340b > >> >>> > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" > >> >>> *"*"*"* > >> >>> Notice: This e-mail contains information that is confidential and > may > >> >>> be privileged. > >> >>> If you are not the intended recipient, please notify the sender and > >> >>> then delete this e-mail immediately. > >> >>> > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" > >> >>> *"*"*"* > >> >> > >> >> I don't think there is any additional configuration you should have > to > >> >> do, just wait for a syscheck scan to run. >
