Hi all, I have got OSSEC doing real time monitoring on my /srv/dir* wev directories. However, even though the /srv/ dir* is being monitored in real time - it seems to a long time to baseline (30minutes). Why does it take 30 minutes to basline, I restricted OSSE to just md5sums and it still took half an hour?
The /sr/* web directory resyncs itself to an s3 bucket which has fresh html pages, therefore it is very difficult to establish a baseline as the site is dynamic and the File Integrity Level 7 alerts happen a lot - too many false positives. Does anyone know of a way for OSSEC to monitor a dynamically changing website for defacement when it constantly syncs from AWS S3 every 2 minutes? We are thinking the following 3 may work in some way (what do you think?). : 1. Add a file to the S3 bucket with a metatag that has to be there i.e. index.html page . 2. Get baseline down to 10 minutes and corresponding syncs down as well to 15 minutes. Restart OSSEC on each sync. 3. Get md5sums from the publishing platform into OSSEC. Can OSSEC get md5sum values for directories and files directly and then crosscheck with the downloaded ones?? Cheers and thank you for any assistance, Tahir -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
