9. Improving the signal-to-noise ratio

To get a good signal-to-noise ratio (i.e. few false alerts), you need to know which files should be checked, and which not (looking at the 'last modified' timestamp may be helpful, if in doubt).

To see how to set recursion depths, implement 'check all but xxx' policies etc., have a look at Section 4.1 .

As samhain runs a a daemon, it is capable to 'remember' all file system changes, thus you won't get bothered twice about the same problem.