On Wed, Oct 3, 2012 at 11:49 AM, vicky ... <[email protected]> wrote: > Sure, I am just in process of it. Will try to capture deleted files through > a script. Give me a day or two. >
That doesn't fix the problem some people are having. Not at all. It covers it up. Hides it. Grandma may be in the back room where the neighbors can't see her, but she's still there. > On Wednesday, 3 October 2012 21:16:13 UTC+5:30, dan (ddpbsd) wrote: >> >> On Wed, Oct 3, 2012 at 11:18 AM, vicky ... <[email protected]> wrote: >> > Hi All, >> > >> > I am also facing the same problem. Seems like I need to create a custom >> > script to check deleted files and alert. >> > >> > Regards, >> > Vikas >> > >> >> Or you could track down the problem and help us fix it. It's tough to >> fix a problem we can't reproduce, especially when everyone who can >> isn't interested in helping. >> >> > >> > On Thursday, 19 July 2012 20:29:49 UTC+5:30, dan (ddpbsd) wrote: >> >> >> >> On Thu, Jul 19, 2012 at 10:50 AM, Wagner Thomas >> >> <[email protected]> wrote: >> >> > 1) I created a new file. >> >> > 2) I started the syscheck and waited until it ran through. (new file >> >> > alert was sent) >> >> > 3) I deleted the new and started the syscheck again afterwards and >> >> > after >> >> > it ran through I still haven't received an alert. >> >> > >> >> >> >> It's working for me. Check alerts.log to make sure it's not being >> >> triggered. >> >> Check the syscheck db to see what the entries for the file look like >> >> (both after step 2 and after step 3(4)). >> >> >> >> > -----Ursprüngliche Nachricht----- >> >> > Von: [email protected] [mailto:[email protected]] Im >> >> > Auftrag von dan (ddp) >> >> > Gesendet: Donnerstag, 19. Juli 2012 16:48 >> >> > An: [email protected] >> >> > Betreff: Re: [ossec-list] Detect Deleted Files >> >> > >> >> > On Thu, Jul 19, 2012 at 10:16 AM, Wagner Thomas >> >> > <[email protected]> >> >> > wrote: >> >> >> I've now tried it again, and again (I tried it at lot of times >> >> >> before) >> >> >> I got no alert caused by a deleted file. >> >> >> So if someone has an idea where my mistake could be, please be so >> >> >> kind >> >> >> and inform me. >> >> >> >> >> >> Thank you in anticipation. >> >> >> >> >> >> Best regards >> >> >> >> >> > >> >> > How did you test it? >> >> > >> >> >> -----Ursprüngliche Nachricht----- >> >> >> Von: [email protected] [mailto:[email protected]] >> >> >> Im Auftrag von dan (ddp) >> >> >> Gesendet: Donnerstag, 19. Juli 2012 15:42 >> >> >> An: [email protected] >> >> >> Betreff: Re: [ossec-list] Detect Deleted Files >> >> >> >> >> >> On Thu, Jul 19, 2012 at 9:29 AM, Wagner Thomas >> >> >> <[email protected]> >> >> >> wrote: >> >> >>> Hi! >> >> >>> >> >> >>> >> >> >>> >> >> >>> I’m currently testing OSSEC 2.6 on centOS and basically it works >> >> >>> fine. >> >> >>> >> >> >>> Setup was easy to do and also the configuration of manager and >> >> >>> agent >> >> >>> went fine. >> >> >>> >> >> >>> >> >> >>> >> >> >>> My problem now is, that I don’t get alerts if files are deleted >> >> >>> (added and changed files are reported correctly). >> >> >>> >> >> >>> >> >> >>> >> >> >>> This is my rule for deleted files (nothing changed after the >> >> >>> installation): >> >> >>> >> >> >>> >> >> >>> >> >> >>> <rule id="553" level="7"> >> >> >>> >> >> >>> <category>ossec</category> >> >> >>> >> >> >>> <decoded_as>syscheck_deleted</decoded_as> >> >> >>> >> >> >>> <description>File deleted. Unable to retrieve >> >> >>> checksum.</description> >> >> >>> >> >> >>> <group>syscheck,</group> >> >> >>> >> >> >>> </rule> >> >> >>> >> >> >>> >> >> >>> >> >> >>> Should it work with that rule or do I have to configure something >> >> >>> else additionally? >> >> >>> >> >> >>> >> >> >>> >> >> >>> I hope someone knows that problem and can help me! >> >> >>> >> >> >>> >> >> >>> >> >> >>> Best regards, >> >> >>> >> >> >>> Thomas >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" >> >> >>> *"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien >> >> >>> Handelsgericht Wien, FN 79340b >> >> >>> >> >> >>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" >> >> >>> *"*"*"* >> >> >>> Notice: This e-mail contains information that is confidential and >> >> >>> may >> >> >>> be privileged. >> >> >>> If you are not the intended recipient, please notify the sender and >> >> >>> then delete this e-mail immediately. >> >> >>> >> >> >>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" >> >> >>> *"*"*"* >> >> >> >> >> >> I don't think there is any additional configuration you should have >> >> >> to >> >> >> do, just wait for a syscheck scan to run.
