I saw a discussion on this earlier in the week and meant to respond, but got caught side tracked.
Regardless, this was something I too struggled grasping, it took a conversation with Dani to help better understand. To better articulate, and save you all a long email, I put it on my blog: http://tonyonsecurity.com/2013/07/27/ossec-detecting-new-files-understanding-how-it-works/ While I'm not sure it'll address the question, I hope it does shed some light ... If I'm missing something please let me know I'll be be happy to check it out and update if required. Tony Sucuri MSSP Team<http://sucuri.net/services/managed-server-security-program-mssp> | Email: [email protected] -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
