HIDS 592
Rule ID
592
Status
Active rule currently published.
Description
This rule is detects when a monitored file changes. This may be an authorized change, or an unauthorized change and these changes should be investigated further.
Specifically this rule detects if a files size has been reduced, but has not been replaced. This can occur if an attacker has removed lines from the log file, if an attacker has "zeroed" out the log file, or if a non-malicious process has zeroed out the log file.
Some log rotation tools may do this, instead of moving the file.
False Positives
There is no known false positive for this rule. This rule detects when files change, therefore, it is not recommended that you disable this rule. Instead, if you do not wish to be alerted when a specific file or files in a particular directory change, please log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.
Tuning Recommendations
If you do not wish to monitor the file or directory reported as changed, log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.
Similar Rules
None.
Knowledge Base Articles
None.
Outside References