It was not working for me on Ubuntu 11.04 with realtime enabled in a local install. I did manage to get it to work though, but I'm not sure if this was the intended process: File is added to the syscheck db. File is modified (alert) File is deleted (alert)
Without that first modification a deleted alert did not happen. On Thu, Dec 8, 2011 at 1:11 PM, Nick Green <n...@attackstack.net> wrote: > I have run a test on one of my ubuntu 10.10 systems ... no 553 errors. > Other rules fire off OK but not when I delete the file and rerun syscheck > > Example working alert ... > > ** Alert 1323365954.6512: mail - ossec,syscheck, > 2011 Dec 08 17:39:14 ************->syscheck > Rule: 550 (level 7) -> 'Integrity checksum changed.' > Integrity checksum changed for: '/tmp/test/fileone' > Size changed from '0' to '43' > Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' > New md5sum is : 'b483e5505194ddacc762aeb3785220f6' > Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' > New sha1sum is : 'b01f401df4e3423fd8fd91cbfb787adf0f9f85b7' > > > > /nick > > > > On Thu, Dec 8, 2011 at 2:54 PM, dan (ddp) <ddp...@gmail.com> wrote: >> >> On Thu, Dec 8, 2011 at 7:16 AM, Nick Green <n...@attackstack.net> wrote: >> > If you want I can supply a strace dump of syscheckd and analyisd? >> > >> > I'll continue to plod through the code and see what's not matching up >> > ... >> > >> > /nick >> > >> > >> >> That might help someone figure it out. Dunno. >> >> It might also help to find out what commonalities there are among the >> setups that are not working properly. I checked my OpenBSD manager and >> found 553 alerts from this week. >> >> I have not checked my CentOS 5 or Ubuntu systems yet, but I will today. >> >> > >> > >> > On Thu, Dec 8, 2011 at 11:33 AM, Nick Green <n...@attackstack.net> >> > wrote: >> >> >> >> >> >> I have not enabled INOTIFY. Real-time is not an requirement for me. >> >> I have not got any realtime option in my conf >> >> >> >> /nick >> >> >> >> >> >> On Wed, Dec 7, 2011 at 10:48 PM, Andreas Piesk <a.pi...@gmx.net> wrote: >> >>> >> >>> On 07.12.2011 21:41, Nick Green wrote: >> >>> > >> >>> > Is anyone having trouble with getting alerts to fire on deletion of >> >>> > a >> >>> > file? >> >>> >> >>> same problem here but i haven't found a solution yet. it's supposed to >> >>> be >> >>> working and for at least >> >>> one list member (danddp) it does. >> >>> >> >>> i'm using RHEL5/Centos5 too, OSSEC w/ INOTIFY. the tests with OSSEC >> >>> w/o >> >>> INOTIFY are still on my todo >> >>> list. do you use INOTIFY too? >> >>> >> >>> regards, >> >>> -ap >> >> >> >> >> > > >