Hi all! Thanks for attention.
Please help me to solve the following problem. I need to track the
emergence of new files on the file system (for example, the emergence of
malware). When using the standard rule <alert_new_files> you are notified
only about the name of the file and its path. In order to analyze this file,
you need to go to the server, see the check-sum of the file and then analyze
this
file. But if these files will be a lot (in proportion to the number of
agents), the work becomes more complicated. It would be nice if the message
about
the new file immediately recorded with check-sum of the file. How can I
solve this issue?
I suspect that the only correct solution is to edit the file
/src/analysisd/decoders/syscheck.c and modify this part:
if((Config.syscheck_alert_new == 1) && (DB_IsCompleted(agent_id)))
{
sdb.syscheck_dec->id = sdb.idn;
/* New file message */
snprintf(sdb.comment, OS_MAXSTR,
* "New file '%.756s'
" "added to the file system.", f_name);*
/* Creating a new log message */
free(lf->full_log);
os_strdup(sdb.comment, lf->full_log);
lf->log = lf->full_log;
/* Setting decoder */
lf->decoder_info = sdb.syscheck_dec;
lf->data = NULL;
return(1);
}
Unfortunately, I do not know how to do it.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
