On Mon, Jan 27, 2014 at 1:47 PM, Bruno Andrade <[email protected]> wrote: > On Mon, 27 Jan 2014 12:08:44 -0500 > "dan (ddp)" <[email protected]> wrote: > >> On Mon, Jan 27, 2014 at 12:06 PM, Bruno Andrade <[email protected]> >> wrote: >> > On Mon, 27 Jan 2014 11:45:41 -0500 >> > "dan (ddp)" <[email protected]> wrote: >> > >> >> On Mon, Jan 27, 2014 at 11:25 AM, Bruno Andrade <[email protected]> >> >> wrote: >> >> > On Mon, 27 Jan 2014 07:51:08 -0500 >> >> > "dan (ddp)" <[email protected]> wrote: >> >> > >> >> >> On Mon, Jan 27, 2014 at 4:33 AM, Bruno Andrade <[email protected]> >> >> >> wrote: >> >> >> > >> >> >> > Hey, that's not what I thinking. >> >> >> > >> >> >> > Lets restart... I install OSSEC, he generate file signatures, >> >> >> > I change a file, OSSEC trigger an alarm for that file because >> >> >> > the signature change. What happens now? >> >> >> > >> >> >> >> >> >> That's really up to you. OSSEC doesn't really care why a file >> >> >> changed, it just reports that it has changed. We don't advocate >> >> >> handling those alerts in any particular fashion, too many groups >> >> >> handle it too differently for us to make those kinds of >> >> >> recommendations. >> >> >> >> >> >> When a file changes, the new hash will be used for the next >> >> >> check. If you have not turned off the auto ignore, 3 changes >> >> >> will make a file not be reported anymore. >> >> >> >> >> >> > Thanks. >> >> > >> >> > That was kind of the answer I was looking for. >> >> > Say that, after the first change to the file I want to make the >> >> > file not to be reported anymore. How can I do it? But, I want to >> >> > do it because I now that change was legitimate, if not, it >> >> > continues to report. >> >> > >> >> >> >> There's no way to really pause reporting on the file. >> >> >> > I'm not talking about pause reporting, but the capacity to update >> > the signature if you know that change is legitimate. >> > >> >> I don't think updating the signature is a problem, it'll automagically >> update on the next syscheck scan(/realtime). I thought you just didn't >> want to be updated when it does change that next time. >> > > Hey, I found this http://centralwire.sourceforge.net/, that's > basically what I was asking if it is possible to do with OSSEC. With > this tool is possible to review the file changes and accept them. >
I guess I don't understand what you expect to happen when you "accept" a change. OSSEC notices a change, it alerts you. It will not revert the change and it will not continue to alert you on that same change. So I'm kind of missing the point. What are you hoping to accomplish exactly? > > -- > Bruno Andrade <[email protected]> > Programador (I&D) > Eurotux Informática, S.A. | www.eurotux.com > (t) +351 253 680 300 (m) +351 936 293 858 > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
