[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: timestamp for modified files
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: timestamp for modified files
- From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
- Date: Sat, 14 Apr 2007 16:54:52 -0300
- Content-disposition: inline
- Content-transfer-encoding: 7bit
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ie96xePh5Dl9JKARNnE3T6NCqaim0fKSjlkN+qA7jsIkkkW1QSkYa8o1Qf0Ub07yCb3nwcEKj1LEjKvRCMqdBojFCHxHaJiMRumOqup2Bl5S6hgLf8bCPufpH+FdLBqVIXrplQVUTyTPuu8RM/rv78AKRc74rziH6e+CgDa3qho=
Hi Chad,
Ossec does not really care about the reported time change for the file
(using the
stats call), because this can be easily faked. We could add that for "curiosity"
reasons, but shouldn't be trusted if the change is malicious.
*I will add that for our todo list, since it can be used to track
valid file changes.
Thanks.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 4/13/07, Chad Rober <chadrober@xxxxxxxxx> wrote:
I've noticed the time a notification is sent regarding file with a different
checksum can be greatly different from the actual time the file changed.
I'll assume this is due to the frequency that OSSEC scans for file changes.
What I was wondering is how would I configure the client to read the
modified time value and append that information to the notification email?
Is that possible with the current build?
Thanks!
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.