Well I did notice the rule did not fire (while 550 did) when I reduced a file's filesize, in this case /test/test. I think it only checks logs, also with a script I have more control of how ossec reacts to the decreased filesize and when it fires.
Op maandag 31 maart 2014 18:19:21 UTC+2 schreef Michael Starks: > > On 2014-03-31 9:45, Laurens Hardlife wrote: > > There's no way to check if a file got smaller using syscheck. What you > > can do tho is create an active response script that checks if a file > > got smaller that fires whenever rule 550 fires (syscheck file > > changes). > > > > Here's my script (in this case it sends an e-mail but you can also > > make it do something else): > > Does rule 592 not work for you? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
