Realtime with new files

36 views
Skip to first unread message

dburkland

unread,
Mar 5, 2010, 5:05:54 PM3/5/10
to ossec-list
Hello all,

I am new to the OSSEC scene and after doing some research, I could not
find any trace of realtime detection of new files in the current
version of OSSEC. Do you know if there is some way to enable this
feature or if not when it is planned to be included in OSSEC's feature
set?

Thank you,

Dan

Wim Remes

unread,
Mar 6, 2010, 4:52:02 PM3/6/10
to ossec...@googlegroups.com
new file detection is not alerted on by default :
you can find the rule in ossec_rules.xml

<rule id="554" level="0">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>

you can change the level on that specific rule, but remember that this will be overwritten if you upgrade.

a more gracious solution would be to add a rule to local_rules.xml :
<rule id="100001" level="3">
<if_sid>554</if_sid>
<description>new file detected</description>
</rule>

KR,
W

Reply all
Reply to author
Forward
0 new messages