On Fri, 24 Jan 2014 09:42:04 -0500 "dan (ddp)" <[email protected]> wrote:
> On Fri, Jan 24, 2014 at 9:38 AM, Bruno Andrade <[email protected]> > wrote: > > On Fri, 24 Jan 2014 07:50:25 -0500 > > "dan (ddp)" <[email protected]> wrote: > > > >> On Fri, Jan 24, 2014 at 5:41 AM, Bruno Andrade <[email protected]> > >> wrote: > >> > Hey, I have a doubt about update file signatures to the > >> > database.. > >> > > >> > Basically I have installed OSSEC Hids and the webUI. On the > >> > webUI, I go integrity checking->Dump database and I check the > >> > last modified files. I click the file and I see the old > >> > signature and new one. > >> > > >> > If I now that change is legitimate, how can I update database to > >> > use the new file signature and don't alert about that change? > >> > > >> > >> If the signature is in the database, the alert should have already > >> been triggered. > > > > I think you don't fully understand my question. > > > > Basically, I have this: > > > > /etc/gshadow- md5 <old_signature> > > sha1 <old_signature> > > -> > > md5 <new_signature> > > sha1 <new_signature> > > > > So, I know that /etc/gshadow file has been changed because > > maintenance in the system and not an attack. > > I think the <old_signature> still in the database, and it will be > > triggering the alert every time it analysis the file. So, how can I > > update the signature for the file to use the <new_signature>? > > > > > > I think the database keeps some older copies of the signatures, but > it's not supposed to check them. > > If you don't think it is working properly, open a ticket. I'll try to > test it out later. Hey, that's not what I thinking. Lets restart... I install OSSEC, he generate file signatures, I change a file, OSSEC trigger an alarm for that file because the signature change. What happens now? Thanks. -- Bruno Andrade <[email protected]> Programador (I&D) Eurotux Informática, S.A. | www.eurotux.com (t) +351 253 680 300 (m) +351 936 293 858 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
