On Mon, 27 Jan 2014 12:08:44 -0500 "dan (ddp)" <[email protected]> wrote:
> On Mon, Jan 27, 2014 at 12:06 PM, Bruno Andrade <[email protected]> > wrote: > > On Mon, 27 Jan 2014 11:45:41 -0500 > > "dan (ddp)" <[email protected]> wrote: > > > >> On Mon, Jan 27, 2014 at 11:25 AM, Bruno Andrade <[email protected]> > >> wrote: > >> > On Mon, 27 Jan 2014 07:51:08 -0500 > >> > "dan (ddp)" <[email protected]> wrote: > >> > > >> >> On Mon, Jan 27, 2014 at 4:33 AM, Bruno Andrade <[email protected]> > >> >> wrote: > >> >> > > >> >> > Hey, that's not what I thinking. > >> >> > > >> >> > Lets restart... I install OSSEC, he generate file signatures, > >> >> > I change a file, OSSEC trigger an alarm for that file because > >> >> > the signature change. What happens now? > >> >> > > >> >> > >> >> That's really up to you. OSSEC doesn't really care why a file > >> >> changed, it just reports that it has changed. We don't advocate > >> >> handling those alerts in any particular fashion, too many groups > >> >> handle it too differently for us to make those kinds of > >> >> recommendations. > >> >> > >> >> When a file changes, the new hash will be used for the next > >> >> check. If you have not turned off the auto ignore, 3 changes > >> >> will make a file not be reported anymore. > >> >> > >> >> > Thanks. > >> > > >> > That was kind of the answer I was looking for. > >> > Say that, after the first change to the file I want to make the > >> > file not to be reported anymore. How can I do it? But, I want to > >> > do it because I now that change was legitimate, if not, it > >> > continues to report. > >> > > >> > >> There's no way to really pause reporting on the file. > >> > > I'm not talking about pause reporting, but the capacity to update > > the signature if you know that change is legitimate. > > > > I don't think updating the signature is a problem, it'll automagically > update on the next syscheck scan(/realtime). I thought you just didn't > want to be updated when it does change that next time. > Hey, I found this http://centralwire.sourceforge.net/, that's basically what I was asking if it is possible to do with OSSEC. With this tool is possible to review the file changes and accept them. -- Bruno Andrade <[email protected]> Programador (I&D) Eurotux Informática, S.A. | www.eurotux.com (t) +351 253 680 300 (m) +351 936 293 858 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
