HIDS 592

From Atomicorp Wiki
Jump to: navigation, search

Rule ID

592

Status

Active rule currently published.

Description

This rule is detects when a monitored file changes. This may be an authorized change, or an unauthorized change and these changes should be investigated further.

Specifically this rule detects if a files size has been reduced, but has not been replaced. This can occur if an attacker has removed lines from the log file, if an attacker has "zeroed" out the log file, or if a non-malicious process has zeroed out the log file.

Some log rotation tools may do this, instead of moving the file.

False Positives

There is no known false positive for this rule. This rule detects when files change, therefore, it is not recommended that you disable this rule. Instead, if you do not wish to be alerted when a specific file or files in a particular directory change, please log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.

Tuning Recommendations

If you do not wish to monitor the file or directory reported as changed, log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

Personal tools