On Mon, 27 Jan 2014 11:45:41 -0500 "dan (ddp)" <[email protected]> wrote:
> On Mon, Jan 27, 2014 at 11:25 AM, Bruno Andrade <[email protected]> > wrote: > > On Mon, 27 Jan 2014 07:51:08 -0500 > > "dan (ddp)" <[email protected]> wrote: > > > >> On Mon, Jan 27, 2014 at 4:33 AM, Bruno Andrade <[email protected]> > >> wrote: > >> > > >> > Hey, that's not what I thinking. > >> > > >> > Lets restart... I install OSSEC, he generate file signatures, I > >> > change a file, OSSEC trigger an alarm for that file because the > >> > signature change. What happens now? > >> > > >> > >> That's really up to you. OSSEC doesn't really care why a file > >> changed, it just reports that it has changed. We don't advocate > >> handling those alerts in any particular fashion, too many groups > >> handle it too differently for us to make those kinds of > >> recommendations. > >> > >> When a file changes, the new hash will be used for the next check. > >> If you have not turned off the auto ignore, 3 changes will make a > >> file not be reported anymore. > >> > >> > Thanks. > > > > That was kind of the answer I was looking for. > > Say that, after the first change to the file I want to make the file > > not to be reported anymore. How can I do it? But, I want to do it > > because I now that change was legitimate, if not, it continues to > > report. > > > > There's no way to really pause reporting on the file. > I'm not talking about pause reporting, but the capacity to update the signature if you know that change is legitimate. -- Bruno Andrade <[email protected]> Programador (I&D) Eurotux Informática, S.A. | www.eurotux.com (t) +351 253 680 300 (m) +351 936 293 858 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
