Re: [ossec-list] Re: Integrity checksum size changed to 0 or from 0 - false positive

2016-02-02 Thread Santiago Bassett
Yes, same thing happened to me in the past and I think is a limitation in the message size. I ended up changing the command, but I guess recompiling would work too. Best On Fri, Jan 29, 2016 at 3:31 AM, q wrote: > Hello! > > i have a problem with a long

Re: [ossec-list] Re: Integrity checksum size changed to 0 or from 0 - false positive

2016-01-29 Thread q
Hello! i have a problem with a long output too. i run netstat -tupln and got trancated output. and i dont know how to avoid this. On 29.01.2016 11:52, ZaNN wrote: > Hi again, > > Anyone is monitoring iptables output? Anyone has faced the problem of > a long command output? > > Thanks in

[ossec-list] Re: Integrity checksum size changed to 0 or from 0 - false positive

2016-01-29 Thread ZaNN
Hi again, Anyone is monitoring iptables output? Anyone has faced the problem of a long command output? Thanks in advance El miércoles, 27 de enero de 2016, 9:26:48 (UTC+1), ZaNN escribió: > > Hola Daniel, > > Yes, that was my first try. Problem was that the result of an iptables > command was

[ossec-list] Re: Integrity checksum size changed to 0 or from 0 - false positive

2016-01-27 Thread ZaNN
Hola Daniel, Yes, that was my first try. Problem was that the result of an iptables command was too large and the content was truncated mostly of the time. Therefore, it was triggering false positives. Do you think of another way of perform an iptables -S check diff in real time? El

[ossec-list] Re: Integrity checksum size changed to 0 or from 0 - false positive

2016-01-26 Thread Daniel Cid
Yes, that would be an issue. Have you tried not sending the output to a file and using the check_diff option on the rules itself? You could do: full_command iptables -S iptables_status 3600 And then write a rule to alert on changes: 530 ossec: output: