On Mon, Jan 27, 2014 at 5:24 PM, Bruno Andrade <[email protected]> wrote: > Thanks a lot > > Bruno Andrade <[email protected]> > Programador (I&D) > Eurotux Informática, S.A. | www.eurotux.com > (t) +351 253 680 300 (m) +351 936 293 858 > > No dia 27/01/2014, às 19:08, dan (ddp) <[email protected]> escreveu: > > On Mon, Jan 27, 2014 at 2:03 PM, Christian Beer > <[email protected]> wrote: > > Dan: I think I know what he wants. He wants to change the signature > before the change is detected by ossec so he does not get an alert. This > is similar to the discussion last year about updating syscheck when > doing an apt-get upgrade. > > > I would have never guessed that. > > > Yes, this is kind of what I want. Some HIDS continues to trigger the alert > if the signature continues different from the one in the DB and need to be > accepted and confirmed by sysadmin to stop triggering the alert every > syschek. >
OSSEC alerts on file changes and updates the database. It will not alert again on the same file change, only on subsequent changes (as long as the file isn't auto ignored). > > Bruno: search within the archive of this group for "What's a good way to > update syscheck after an apt-get upgrade?" There is some mail exchange > from 29.05.2013 > > There is a patch somewhere in there that kind of queries a trusted > source for the md5/sha1 hash and doesn't generate an alert if the new > hash equals the trusted hash. The patch is kind of bulky and I don't use > it because I only have one server to monitor at the moment and can > manage the update myself. > > > I'll try to find it, thanks. > > For the future it would be nice if syscheck had the ability to check a > trusted source if the file change was to be expected. This DB has to be > filled by the admin during update. Just my 2cents. > > > That would be awesome, basically it would be possible to schedule > maintenance hours, and OSSEC will know that in that time is possible that > some signatures would change. > > Yes it would. I have the beginnings of a patch for this somewhere... > > > Do you think in integrate that in web ui? > No. I don't know much about the wui. The only time I use it is when I'm trying to help someone else with it. > Thanks. > > > Regards > Christian > > > Am 27.01.2014 19:50, schrieb dan (ddp): > > On Mon, Jan 27, 2014 at 1:47 PM, Bruno Andrade <[email protected]> wrote: > > On Mon, 27 Jan 2014 12:08:44 -0500 > "dan (ddp)" <[email protected]> wrote: > > On Mon, Jan 27, 2014 at 12:06 PM, Bruno Andrade <[email protected]> > wrote: > > On Mon, 27 Jan 2014 11:45:41 -0500 > "dan (ddp)" <[email protected]> wrote: > > On Mon, Jan 27, 2014 at 11:25 AM, Bruno Andrade <[email protected]> > wrote: > > On Mon, 27 Jan 2014 07:51:08 -0500 > "dan (ddp)" <[email protected]> wrote: > > On Mon, Jan 27, 2014 at 4:33 AM, Bruno Andrade <[email protected]> > wrote: > > > Hey, that's not what I thinking. > > Lets restart... I install OSSEC, he generate file signatures, > I change a file, OSSEC trigger an alarm for that file because > the signature change. What happens now? > > > That's really up to you. OSSEC doesn't really care why a file > changed, it just reports that it has changed. We don't advocate > handling those alerts in any particular fashion, too many groups > handle it too differently for us to make those kinds of > recommendations. > > When a file changes, the new hash will be used for the next > check. If you have not turned off the auto ignore, 3 changes > will make a file not be reported anymore. > > Thanks. > > > That was kind of the answer I was looking for. > Say that, after the first change to the file I want to make the > file not to be reported anymore. How can I do it? But, I want to > do it because I now that change was legitimate, if not, it > continues to report. > > > There's no way to really pause reporting on the file. > > I'm not talking about pause reporting, but the capacity to update > the signature if you know that change is legitimate. > > > I don't think updating the signature is a problem, it'll automagically > update on the next syscheck scan(/realtime). I thought you just didn't > want to be updated when it does change that next time. > > > Hey, I found this http://centralwire.sourceforge.net/, that's > basically what I was asking if it is possible to do with OSSEC. With > this tool is possible to review the file changes and accept them. > > > I guess I don't understand what you expect to happen when you "accept" > a change. OSSEC notices a change, it alerts you. It will not revert > the change and it will not continue to alert you on that same change. > So I'm kind of missing the point. What are you hoping to accomplish > exactly? > > > -- > Bruno Andrade <[email protected]> > Programador (I&D) > Eurotux Informática, S.A. | www.eurotux.com > (t) +351 253 680 300 (m) +351 936 293 858 > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
