On Tuesday, June 14, 2016 at 1:00:14 PM UTC-4, dan (ddpbsd) wrote: > > On Tue, Jun 14, 2016 at 12:47 PM, Jeff Blaine <[email protected] > <javascript:>> wrote: > > I'll also add that /var/ossec/queue/syscheck contains these 2 files, the > > larger of the 2 was last modified ~4 days ago. I don't know if that's > useful > > info or not: > > > > -rw-r----- 1 ossec ossec 3 May 21 10:29 .syscheck.cpt > > -rw-r----- 1 ossec ossec 494689 Jun 9 10:48 syscheck > > > > Are the files you modified present in the syscheck file? Are the > hashes up to date? > > Sure doesn't look it:
[jblaine@ourhost test-checksum-area]$ sha1sum a-file b-file da17f5b15f5fbabdb4fea9b728cd5d9f930cfd55 a-file 44939617ba6fa46e93af28c0802265b7c3a9a60d b-file [jblaine@ourhost test-checksum-area]$ #++0:33204:710:710:d41d8cd98f00b204e9800998ecf8427e:da39a3ee5e6b4b0d3255bfef95601890afd80709 !1465331645 /home/jblaine/test-checksum-area/a-file #++4:33204:710:710:d3b07384d113edec49eaa6238ad5ff00:f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 !1465342375 /home/jblaine/test-checksum-area/a-file #!+11:33204:710:710:c3b78a0e06770acbdb387341767c5fab:f032d9c6f6f0713ec04c659e66d450f57dee7b97 !1465343017 /home/jblaine/test-checksum-area/a-file !!!11:33204:710:710:3a4fdabb854febd89315c8f1ab84931f:431049d8fd3238973a6f8c21db0b23cd8e54569a !1465350249 /home/jblaine/test-checksum-area/a-file #++5:33204:710:710:07d9ee02bc6ff247059fef066b92fdf8:470f34e0a739dd064a11ad4e1bb5facc0585aee6 !1465409669 /home/jblaine/test-checksum-area/b-file #++12:33204:710:710:e7d7be0b4cbae91e79f2f86af983a5ef:1122cafa6e122ff68e661f11575f9d85b1b1e4e2 !1465415641 /home/jblaine/test-checksum-area/b-file #!+18:33204:710:710:874a0778b44a16a2789ff24ef904f508:f745ff3f8624aa8da29ff4f7f69f7d95b11ce982 !1465423555 /home/jblaine/test-checksum-area/b-file !!!15:33204:710:710:f76fbff61c70afcee0df07d4322e1c9f:812e20fe8e29d6ac8e2079b6ceb2a1b3341c3830 !1465483731 /home/jblaine/test-checksum-area/b-file Should I just stop OSSEC and nuke those 2 'queue/syscheck' files to reset things? Kind of masking a problem though... -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
