Rule 554 firing instead of rule 500
19 views
Skip to first unread message
Michael Starling
Mar 28, 2023, 10:24:44 AM3/28/23
to ossec-list
Hello.
[root@server1]# cat diff.1680010317
3c3
< #testy
---
> #test 3-28
I'm seeing a strange issue when running some tests on rule 550 "Integrity checksum changed".
I make a change on a client to /etc/issue and add a line. Syscheck picks it up but reports the change as rule 554 "File added to the system" when the file has already been cataloged by the syscheck database.
[root@server1]# ls -lrt
total 20
-rw-r--r-- 1 root root 29 Mar 22 14:12 state.1679512366
-rw-r--r-- 1 root root 29 Mar 24 08:54 state.1679666071
-rw-r--r-- 1 root root 26 Mar 24 08:54 diff.1679666071
-rw-r--r-- 1 root root 33 Mar 28 08:31 last-entry
-rw-r--r-- 1 root root 30 Mar 28 08:31 diff.1680010317
total 20
-rw-r--r-- 1 root root 29 Mar 22 14:12 state.1679512366
-rw-r--r-- 1 root root 29 Mar 24 08:54 state.1679666071
-rw-r--r-- 1 root root 26 Mar 24 08:54 diff.1679666071
-rw-r--r-- 1 root root 33 Mar 28 08:31 last-entry
-rw-r--r-- 1 root root 30 Mar 28 08:31 diff.1680010317
[root@server1]# cat diff.1680010317
3c3
< #testy
---
> #test 3-28
Any ideas?
Reply all
Reply to author
Forward
0 new messages