[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] syscheck - alert_new_files

To: ossec-list@xxxxxxxxx
Subject: [ossec-list] syscheck - alert_new_files
From: Black CryptoKnight <black_cryptoknight@xxxxxxxxx>
Date: Sun, 26 Nov 2006 12:02:58 -0800 (PST)

I'm noticing something strange with syscheck. I've been getting alerts like the following from my Windows XP Sp2 ossec agent:

OSSEC HIDS Notification.
2006 Nov 26 09:19:00

Received From: (PC1) 172.16.45.27->syscheck
Rule: 13 fired (level 8) -> "Integrity checksum of file 'C:\Program Files/Common Files/Adobe/Web/AdobeOnline Inventory' has changed."
Portion of the log(s):

New file 'C:\Program Files/Yahoo!/Messenger/Cache/IxnDIZ_voYbqZNtwnu.nqg--.ab.xml' added to directory. Checksum: 35644:33206:0:0:4a731b078c0fd14431bb41bc484965bb:13f952e61218539f084aa03a88b07d26b717f4a1.

--END OF NOTIFICATION

Notice the first part of the alert is about the integrity checksum of 'C:\Program Files/Common Files/Adobe/Web/AdobeOnline Inventory' changing, but the portion of the log shown after is a new file alert for a completely different file.

I get several of those when new files get added. Could the alert be redone to be more clear as to what is being alerted on?

Want to start your own business? Learn how on Yahoo! Small Business.

Follow-Ups:
- [ossec-list] Re: syscheck - alert_new_files
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: active-responce rules
Next by Date: [ossec-list] Re: Snort Decoder
Previous by thread: [ossec-list] agent active response is still executing.
Next by thread: [ossec-list] Re: syscheck - alert_new_files
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.