Hi Graeme,
On some Linux distributions you need to specify _FILE_OFFSET_BITS=64 and _LARGEFILE64_SOURCE to add support for large files. I was doing this automatically on previous versions, but by mistake I removed it from the makefile of rootcheck (but all other daemons still support it). To fix that, just edit src/Config.Make, add the following to the CFLAGS and recompile ossec: -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 In addition to that, for OpenBSD and other systems (I think FreeBSD and some linux distros) the offset is by default 64 bits, so you don't need to make these changes... *it will be fixed by default in the next version. Thanks for the report. -- Daniel B. Cid dcid ( at ) ossec.net On 8/8/06, Unit3 <[EMAIL PROTECTED]> wrote:
This may have been posted already, but I don't see an easy way to search the archives, nor a recent post about it, so I figured I should ask. I'm seeing some false positive rootkit detection on my Ubuntu/dapper system after a fresh install of 0.9: Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): Anomaly detected in file '/var/lib/mysql/ibdata1'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit. Now, that file isn't a rootkit, but it *is* 2.6 GB. I got the same message about a backup file over 4GB that I had in /root/. I'm running xfs as my root filesystem, and AFAIK Ubuntu's tools are all large file safe, so it seems like it's OSSEC that's having problems with large files? If there's a config option I missed or something similar, just give me a URL and an RTFM. ;) Thanks, Graeme
