Observations for Possible Improvements to /syscheck_control
-When <auto_ignore>no</auto_ignore> is set in ossec.conf, I would still expect to be able to ignore individual files with something like ./bin/syscheck_control -i nnn -d -f <filename>, but it does not ignore the file.
-When <auto_ignore>no</auto_ignore> is set in ossec.conf and the file has changed more than three times, syscheck_control reports that it is being ignored.
-Attempting to list a windows file by using the format of the filename in the alert does not work, unless the slash is escaped. For example, this does not work:
./bin/syscheck_control -i 005 -f C:\WINDOWS/system32/perfc009.dat
However, this does:
./bin/syscheck_control -i 005 -f C:\WINDOWS/system32/perfc009.dat
Perhaps OSSEC could internally escape the back slash.
Finally, it would be nice to also support the standard windows convention of using back slashes only when putting in a full path, and since back slashes cannot be in a filename, OSSEC could presume to escape or convert to forward slashes any that were found in the argument. That way, something like this would work: C:\WINDOWS\system32\perfc009.dat
Comments (1)
-
- Log in to comment
As you suggested on IRC, the escaping issue is completely a shell problem. OSSEC isn't the problem there. Incidentally, bitbucket deleted the double-slash in my example, I guess it escaped it. :)