Dan: I think I know what he wants. He wants to change the signature before the change is detected by ossec so he does not get an alert. This is similar to the discussion last year about updating syscheck when doing an apt-get upgrade.
Bruno: search within the archive of this group for "What's a good way to update syscheck after an apt-get upgrade?" There is some mail exchange from 29.05.2013 There is a patch somewhere in there that kind of queries a trusted source for the md5/sha1 hash and doesn't generate an alert if the new hash equals the trusted hash. The patch is kind of bulky and I don't use it because I only have one server to monitor at the moment and can manage the update myself. For the future it would be nice if syscheck had the ability to check a trusted source if the file change was to be expected. This DB has to be filled by the admin during update. Just my 2cents. Regards Christian Am 27.01.2014 19:50, schrieb dan (ddp): > On Mon, Jan 27, 2014 at 1:47 PM, Bruno Andrade <[email protected]> wrote: >> On Mon, 27 Jan 2014 12:08:44 -0500 >> "dan (ddp)" <[email protected]> wrote: >> >>> On Mon, Jan 27, 2014 at 12:06 PM, Bruno Andrade <[email protected]> >>> wrote: >>>> On Mon, 27 Jan 2014 11:45:41 -0500 >>>> "dan (ddp)" <[email protected]> wrote: >>>> >>>>> On Mon, Jan 27, 2014 at 11:25 AM, Bruno Andrade <[email protected]> >>>>> wrote: >>>>>> On Mon, 27 Jan 2014 07:51:08 -0500 >>>>>> "dan (ddp)" <[email protected]> wrote: >>>>>> >>>>>>> On Mon, Jan 27, 2014 at 4:33 AM, Bruno Andrade <[email protected]> >>>>>>> wrote: >>>>>>>> >>>>>>>> Hey, that's not what I thinking. >>>>>>>> >>>>>>>> Lets restart... I install OSSEC, he generate file signatures, >>>>>>>> I change a file, OSSEC trigger an alarm for that file because >>>>>>>> the signature change. What happens now? >>>>>>>> >>>>>>> >>>>>>> That's really up to you. OSSEC doesn't really care why a file >>>>>>> changed, it just reports that it has changed. We don't advocate >>>>>>> handling those alerts in any particular fashion, too many groups >>>>>>> handle it too differently for us to make those kinds of >>>>>>> recommendations. >>>>>>> >>>>>>> When a file changes, the new hash will be used for the next >>>>>>> check. If you have not turned off the auto ignore, 3 changes >>>>>>> will make a file not be reported anymore. >>>>>>> >>>>>>>> Thanks. >>>>>> >>>>>> That was kind of the answer I was looking for. >>>>>> Say that, after the first change to the file I want to make the >>>>>> file not to be reported anymore. How can I do it? But, I want to >>>>>> do it because I now that change was legitimate, if not, it >>>>>> continues to report. >>>>>> >>>>> >>>>> There's no way to really pause reporting on the file. >>>>> >>>> I'm not talking about pause reporting, but the capacity to update >>>> the signature if you know that change is legitimate. >>>> >>> >>> I don't think updating the signature is a problem, it'll automagically >>> update on the next syscheck scan(/realtime). I thought you just didn't >>> want to be updated when it does change that next time. >>> >> >> Hey, I found this http://centralwire.sourceforge.net/, that's >> basically what I was asking if it is possible to do with OSSEC. With >> this tool is possible to review the file changes and accept them. >> > > I guess I don't understand what you expect to happen when you "accept" > a change. OSSEC notices a change, it alerts you. It will not revert > the change and it will not continue to alert you on that same change. > So I'm kind of missing the point. What are you hoping to accomplish > exactly? > >> >> -- >> Bruno Andrade <[email protected]> >> Programador (I&D) >> Eurotux Informática, S.A. | www.eurotux.com >> (t) +351 253 680 300 (m) +351 936 293 858 >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
