On Fri, Jan 24, 2014 at 9:38 AM, Bruno Andrade <[email protected]> wrote: > On Fri, 24 Jan 2014 07:50:25 -0500 > "dan (ddp)" <[email protected]> wrote: > >> On Fri, Jan 24, 2014 at 5:41 AM, Bruno Andrade <[email protected]> >> wrote: >> > Hey, I have a doubt about update file signatures to the database.. >> > >> > Basically I have installed OSSEC Hids and the webUI. On the webUI, >> > I go integrity checking->Dump database and I check the last >> > modified files. I click the file and I see the old signature and >> > new one. >> > >> > If I now that change is legitimate, how can I update database to >> > use the new file signature and don't alert about that change? >> > >> >> If the signature is in the database, the alert should have already >> been triggered. > > I think you don't fully understand my question. > > Basically, I have this: > > /etc/gshadow- md5 <old_signature> > sha1 <old_signature> > -> > md5 <new_signature> > sha1 <new_signature> > > So, I know that /etc/gshadow file has been changed because maintenance > in the system and not an attack. > I think the <old_signature> still in the database, and it will be > triggering the alert every time it analysis the file. So, how can I > update the signature for the file to use the <new_signature>? > >
I think the database keeps some older copies of the signatures, but it's not supposed to check them. If you don't think it is working properly, open a ticket. I'll try to test it out later. >> > Thanks in advance. > > -- > Bruno Andrade <[email protected]> > Programador (I&D) > Eurotux Informática, S.A. | www.eurotux.com > (t) +351 253 680 300 (m) +351 936 293 858 > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
