Issue #24 new

Observations for Possible Improvements to /syscheck_control

mstarks01
created an issue

-When <auto_ignore>no</auto_ignore> is set in ossec.conf, I would still expect to be able to ignore individual files with something like ./bin/syscheck_control -i nnn -d -f <filename>, but it does not ignore the file.

-When <auto_ignore>no</auto_ignore> is set in ossec.conf and the file has changed more than three times, syscheck_control reports that it is being ignored.

-Attempting to list a windows file by using the format of the filename in the alert does not work, unless the slash is escaped. For example, this does not work:

./bin/syscheck_control -i 005 -f C:\WINDOWS/system32/perfc009.dat

However, this does:

./bin/syscheck_control -i 005 -f C:\WINDOWS/system32/perfc009.dat

Perhaps OSSEC could internally escape the back slash.

Finally, it would be nice to also support the standard windows convention of using back slashes only when putting in a full path, and since back slashes cannot be in a filename, OSSEC could presume to escape or convert to forward slashes any that were found in the argument. That way, something like this would work: C:\WINDOWS\system32\perfc009.dat

Comments (1)

  1. mstarks01 reporter

    As you suggested on IRC, the escaping issue is completely a shell problem. OSSEC isn't the problem there. Incidentally, bitbucket deleted the double-slash in my example, I guess it escaped it. :)

  2. Log in to comment