Greetings:
I replaced the netstat on the server (actually updated net-tools which
was out dated),
rpm -V net-tools-1.60-37.EL4.9
Provides no output for which I understand means the package verified
ok.
Yet, ossec-rootcheck still shows hidden ports as listed in my first
post.
strings
On Aug 27, 11:11 am, Peter M. Abraham [EMAIL PROTECTED]
wrote:
Greetings:
I replaced the netstat on the server (actually updated net-tools which
was out dated),
rpm -V net-tools-1.60-37.EL4.9
Provides no output for which I understand means the package verified
ok.
You realize that even
Hi Andrew,
There is a very subtle acknowledgement that the rootcheck scan ran
that is stored on the server side. If you go to
/var/ossec/queue/rootcheck you will see one entry for each agent
(plus the one for the server, just named rootcheck).
If you look at any of the files in there, you will
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
In my previous life, we had several busy servers and they would
often alert like this because of temporary port usage. I believed
the alert was because OSSEC tried to bind to a port, could not then
ran netstat and did not see the port in
Hi David,
In addition to what you mentioned, if you are using Linux, it can also
be caused by a bug
in an application that is binding to a TCP port, but not listening on
it. For some weird
reason, Linux does not report these ports on netstat...
More info here:
http://www.ossec.net/dcid/?p=87
Hi Daniel,
Are you sure ossec did this? First, it doesn't run on kernel mode, so
even if it crashed, it
would not crash the whole system. It also doesn't use a lot of memory,
so I can't see it
being responsible for that...
Can you show us more information? If you are still getting alerts from