On Tue, Jun 14, 2016 at 1:56 PM, Jeff Blaine <[email protected]> wrote: > > > On Tuesday, June 14, 2016 at 1:00:14 PM UTC-4, dan (ddpbsd) wrote: >> >> On Tue, Jun 14, 2016 at 12:47 PM, Jeff Blaine <[email protected]> wrote: >> > I'll also add that /var/ossec/queue/syscheck contains these 2 files, the >> > larger of the 2 was last modified ~4 days ago. I don't know if that's >> > useful >> > info or not: >> > >> > -rw-r----- 1 ossec ossec 3 May 21 10:29 .syscheck.cpt >> > -rw-r----- 1 ossec ossec 494689 Jun 9 10:48 syscheck >> > >> >> Are the files you modified present in the syscheck file? Are the >> hashes up to date? >> > > Sure doesn't look it: > > [jblaine@ourhost test-checksum-area]$ sha1sum a-file b-file > da17f5b15f5fbabdb4fea9b728cd5d9f930cfd55 a-file > 44939617ba6fa46e93af28c0802265b7c3a9a60d b-file > [jblaine@ourhost test-checksum-area]$ > > #++0:33204:710:710:d41d8cd98f00b204e9800998ecf8427e:da39a3ee5e6b4b0d3255bfef95601890afd80709 > !1465331645 /home/jblaine/test-checksum-area/a-file > #++4:33204:710:710:d3b07384d113edec49eaa6238ad5ff00:f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 > !1465342375 /home/jblaine/test-checksum-area/a-file > #!+11:33204:710:710:c3b78a0e06770acbdb387341767c5fab:f032d9c6f6f0713ec04c659e66d450f57dee7b97 > !1465343017 /home/jblaine/test-checksum-area/a-file > !!!11:33204:710:710:3a4fdabb854febd89315c8f1ab84931f:431049d8fd3238973a6f8c21db0b23cd8e54569a > !1465350249 /home/jblaine/test-checksum-area/a-file > #++5:33204:710:710:07d9ee02bc6ff247059fef066b92fdf8:470f34e0a739dd064a11ad4e1bb5facc0585aee6 > !1465409669 /home/jblaine/test-checksum-area/b-file > #++12:33204:710:710:e7d7be0b4cbae91e79f2f86af983a5ef:1122cafa6e122ff68e661f11575f9d85b1b1e4e2 > !1465415641 /home/jblaine/test-checksum-area/b-file > #!+18:33204:710:710:874a0778b44a16a2789ff24ef904f508:f745ff3f8624aa8da29ff4f7f69f7d95b11ce982 > !1465423555 /home/jblaine/test-checksum-area/b-file > !!!15:33204:710:710:f76fbff61c70afcee0df07d4322e1c9f:812e20fe8e29d6ac8e2079b6ceb2a1b3341c3830 > !1465483731 /home/jblaine/test-checksum-area/b-file >
So it looks like you haven't turned the auto ignore off, and too many changes have been made to the file (ignoring it). The last recorded change for b-file seems to be: # date -r 1465483731 Thu Jun 9 10:48:51 EDT 2016 > Should I just stop OSSEC and nuke those 2 'queue/syscheck' files to reset > things? Kind of masking a problem though... > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
