Critical System Protection

Is it possible for a detection policy to record specific changes within an ear, war, zip, rar file and then send those results to the console?

example:

within our infrastructure, we use WAR files to distribute content to some of our web servers.
The WAR files (which can be unpacked and viewed with winrar, 7zip etc) contain *.config, *.htm type files.

UserA unpacks a WAR file to make changes to a config file.
UserA saves the WAR file to the webserver where a detection policy is watching *.war to replace the current war file.

Hashing is turned on, so the new hash value shows, but there is no "old" hash value to compare against.
I am seeing that (with a custom template watching specifically *.war) that the file is "deleted" and then "created".

cheers.

Hum, I don't think it is possible.

I know you can see changes on a text file :

 - You create test.txt

 - You create FileWatch rule to monitor this file changes

 - You edit the file to add a line

 - You can then see in the event log the line which has been added

However, for the case of an archive, even if such rule would work, the difference would probably be encrypted so not readable (like opening a zip file in text editor). You may still give it a try.

thank you sir. I figured as much. but you never know if you don't ask.

I tested with a custom template to watch *.ear files.

results in console:
test.ear deleted
     followed by
test.ear created
checksum shows for the "created" ear file as if it were a brand new file.(no biggie)

I've altered my business need to watch the files in the subfolders as the ear file gets unpacked to a specific location and then is deflated to subfolders. I'll just have the coders keep the TFS records for the specific ear files and go from there to watch (ex) D:\path\test.ear\distributed_folder\*