using realtime to track a file that has a change made that put back to the original value
4 views
Skip to first unread message
mpata...@gmail.com
Nov 12, 2018, 6:37:59 PM11/12/18
to ossec-dev
What does the Gossec system suppose to do is:
You change a file. (md5 value changes)
wait a second.
Then put the file back to it original contents.
For example:
root@mpatalberta:~/joeblow# md5sum hellopat.txt <- original data
4ede564a1a999242405ce4d5c13335ec hellopat.txt
root@mpatalberta:~/joeblow# md5sum hellopat.txt <- original data
4ede564a1a999242405ce4d5c13335ec hellopat.txt
root@mpatalberta:~/joeblow# vi hellopat.txt
root@mpatalberta:~/joeblow# md5sum hellopat.txt
fc7fd69e2682cbe416382997304b093d hellopat.txt changed file contents <- (new md5)
root@mpatalberta:~/joeblow# vi hellopat.txt
root@mpatalberta:~/joeblow# md5sum hellopat.txt
4ede564a1a999242405ce4d5c13335ec hellopat.txt <- file has been put back
What does ossec do here?
Can you somehow include the access time as part of the change file detection?
Thanks,
Pat,
dan (ddp)
Nov 13, 2018, 7:42:03 AM11/13/18
to osse...@googlegroups.com
On Mon, Nov 12, 2018 at 6:37 PM <mpata...@gmail.com> wrote:
>
> What does the Gossec system suppose to do is:
> You change a file. (md5 value changes)
> wait a second.
> Then put the file back to it original contents.
>
> For example:
> root@mpatalberta:~/joeblow# md5sum hellopat.txt <- original data
> 4ede564a1a999242405ce4d5c13335ec hellopat.txt
> root@mpatalberta:~/joeblow# md5sum hellopat.txt <- original data
> 4ede564a1a999242405ce4d5c13335ec hellopat.txt
> root@mpatalberta:~/joeblow# vi hellopat.txt
> root@mpatalberta:~/joeblow# md5sum hellopat.txt
> fc7fd69e2682cbe416382997304b093d hellopat.txt changed file contents <- (new md5)
> root@mpatalberta:~/joeblow# vi hellopat.txt
> root@mpatalberta:~/joeblow# md5sum hellopat.txt
> 4ede564a1a999242405ce4d5c13335ec hellopat.txt <- file has been put back
>
> What does ossec do here?
If OSSEC catches it in time you should get multiple alerts. But there
>
> What does the Gossec system suppose to do is:
> You change a file. (md5 value changes)
> wait a second.
> Then put the file back to it original contents.
>
> For example:
> root@mpatalberta:~/joeblow# md5sum hellopat.txt <- original data
> 4ede564a1a999242405ce4d5c13335ec hellopat.txt
> root@mpatalberta:~/joeblow# md5sum hellopat.txt <- original data
> 4ede564a1a999242405ce4d5c13335ec hellopat.txt
> root@mpatalberta:~/joeblow# vi hellopat.txt
> root@mpatalberta:~/joeblow# md5sum hellopat.txt
> fc7fd69e2682cbe416382997304b093d hellopat.txt changed file contents <- (new md5)
> root@mpatalberta:~/joeblow# vi hellopat.txt
> root@mpatalberta:~/joeblow# md5sum hellopat.txt
> 4ede564a1a999242405ce4d5c13335ec hellopat.txt <- file has been put back
>
> What does ossec do here?
are a number of factors that go into that.
> Can you somehow include the access time as part of the change file detection?
> Thanks,
> Pat,
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-dev+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages