On Mon, Jan 27, 2014 at 2:03 PM, Christian Beer <[email protected]> wrote: > Dan: I think I know what he wants. He wants to change the signature > before the change is detected by ossec so he does not get an alert. This > is similar to the discussion last year about updating syscheck when > doing an apt-get upgrade. >
I would have never guessed that. > Bruno: search within the archive of this group for "What's a good way to > update syscheck after an apt-get upgrade?" There is some mail exchange > from 29.05.2013 > > There is a patch somewhere in there that kind of queries a trusted > source for the md5/sha1 hash and doesn't generate an alert if the new > hash equals the trusted hash. The patch is kind of bulky and I don't use > it because I only have one server to monitor at the moment and can > manage the update myself. > > For the future it would be nice if syscheck had the ability to check a > trusted source if the file change was to be expected. This DB has to be > filled by the admin during update. Just my 2cents. > Yes it would. I have the beginnings of a patch for this somewhere... > Regards > Christian > > > Am 27.01.2014 19:50, schrieb dan (ddp): >> On Mon, Jan 27, 2014 at 1:47 PM, Bruno Andrade <[email protected]> wrote: >>> On Mon, 27 Jan 2014 12:08:44 -0500 >>> "dan (ddp)" <[email protected]> wrote: >>> >>>> On Mon, Jan 27, 2014 at 12:06 PM, Bruno Andrade <[email protected]> >>>> wrote: >>>>> On Mon, 27 Jan 2014 11:45:41 -0500 >>>>> "dan (ddp)" <[email protected]> wrote: >>>>> >>>>>> On Mon, Jan 27, 2014 at 11:25 AM, Bruno Andrade <[email protected]> >>>>>> wrote: >>>>>>> On Mon, 27 Jan 2014 07:51:08 -0500 >>>>>>> "dan (ddp)" <[email protected]> wrote: >>>>>>> >>>>>>>> On Mon, Jan 27, 2014 at 4:33 AM, Bruno Andrade <[email protected]> >>>>>>>> wrote: >>>>>>>>> >>>>>>>>> Hey, that's not what I thinking. >>>>>>>>> >>>>>>>>> Lets restart... I install OSSEC, he generate file signatures, >>>>>>>>> I change a file, OSSEC trigger an alarm for that file because >>>>>>>>> the signature change. What happens now? >>>>>>>>> >>>>>>>> >>>>>>>> That's really up to you. OSSEC doesn't really care why a file >>>>>>>> changed, it just reports that it has changed. We don't advocate >>>>>>>> handling those alerts in any particular fashion, too many groups >>>>>>>> handle it too differently for us to make those kinds of >>>>>>>> recommendations. >>>>>>>> >>>>>>>> When a file changes, the new hash will be used for the next >>>>>>>> check. If you have not turned off the auto ignore, 3 changes >>>>>>>> will make a file not be reported anymore. >>>>>>>> >>>>>>>>> Thanks. >>>>>>> >>>>>>> That was kind of the answer I was looking for. >>>>>>> Say that, after the first change to the file I want to make the >>>>>>> file not to be reported anymore. How can I do it? But, I want to >>>>>>> do it because I now that change was legitimate, if not, it >>>>>>> continues to report. >>>>>>> >>>>>> >>>>>> There's no way to really pause reporting on the file. >>>>>> >>>>> I'm not talking about pause reporting, but the capacity to update >>>>> the signature if you know that change is legitimate. >>>>> >>>> >>>> I don't think updating the signature is a problem, it'll automagically >>>> update on the next syscheck scan(/realtime). I thought you just didn't >>>> want to be updated when it does change that next time. >>>> >>> >>> Hey, I found this http://centralwire.sourceforge.net/, that's >>> basically what I was asking if it is possible to do with OSSEC. With >>> this tool is possible to review the file changes and accept them. >>> >> >> I guess I don't understand what you expect to happen when you "accept" >> a change. OSSEC notices a change, it alerts you. It will not revert >> the change and it will not continue to alert you on that same change. >> So I'm kind of missing the point. What are you hoping to accomplish >> exactly? >> >>> >>> -- >>> Bruno Andrade <[email protected]> >>> Programador (I&D) >>> Eurotux Informática, S.A. | www.eurotux.com >>> (t) +351 253 680 300 (m) +351 936 293 858 >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
