[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Integrity Checks and Diffs?

To: <ossec-list@xxxxxxxxxxxxxxxx>
Subject: [ossec-list] Re: Integrity Checks and Diffs?
From: "Marty E. Hillman" <mehillman@xxxxxxxxxxxx>
Date: Thu, 7 Sep 2006 15:02:55 -0500
Content-class: urn:content-classes:message
Content-transfer-encoding: quoted-printable
Thread-index: AcbSt9LJhFPMXa/8T8ytRLrHeborYwAAHJRg
Thread-topic: [ossec-list] Re: Integrity Checks and Diffs?

Forgive my ignorance, but in the interest of data security and not
transmitting the information cleartext, wouldn't the alert be enough to
cause the administrator to do a diff of the file against a known good
backup?  Might take a little more time than actually sending you the
changed information, but would maintain security.

I suppose an alternative would be to use a dual-NICed computer and send
the alert over the second network (assuming that they were not sharing
common infrastructure hardware and that that link was not hacked as
well).

-----Original Message-----
From: ossec-list@xxxxxxxxxxxxxxxx [mailto:ossec-list@xxxxxxxxxxxxxxxx]
On Behalf Of Forrest Aldrich
Sent: Thursday, September 07, 2006 2:39 PM
To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Integrity Checks and Diffs?

Very true.

In that case, send it over/via OSSEC in an encrypted package?  I
dunno...

But the basic principle is useful - knowing "what" was changed, not just
that it was changed.

David Vasil wrote:
> Forrest Aldrich wrote:
>   
>> Maybe for text-only files, provide an option to include a contextual
>> diff output, which shows the changes of the monitored file, with that
of
>> the known version --- this would require keeping that old version
>> archived somewhere, though.  Hmm...     may be useful in some
>> situations, knowing not only that the file was changed, but WHAT was
>> changed.
>>     
>
> That could come back and bite you in some situations where the file
that
> was changed contained sensitive information (which upon alert would be
> sent to you through clear-text email).
>
>   

This electronic mail (including any attachments) may contain information that 
is privileged, confidential, and/or otherwise protected from disclosure to 
anyone other than its intended recipient(s). Any dissemination or use of this 
electronic email or its contents (including any attachments) by persons other 
than the intended recipient(s) is strictly prohibited. If you have received 
this message in error, please notify us immediately by reply email so that we 
may correct our internal records. Please then delete the original message 
(including any attachments) in its entirety. Thank you.

Follow-Ups:
- [ossec-list] Re: Integrity Checks and Diffs?
  - From: Erick Kinnee

References:
- [ossec-list] Integrity Checks and Diffs?
  - From: Forrest Aldrich
- [ossec-list] Re: Integrity Checks and Diffs?
  - From: David Vasil
- [ossec-list] Re: Integrity Checks and Diffs?
  - From: Forrest Aldrich

Prev by Date: [ossec-list] Re: Integrity Checks and Diffs?
Next by Date: [ossec-list] Re: Integrity Checks and Diffs?
Previous by thread: [ossec-list] Re: Integrity Checks and Diffs?
Next by thread: [ossec-list] Re: Integrity Checks and Diffs?
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.