The trojan rules are specified in the rootkit_trojans.txt file and they were taking from years analyzing malwares, application level rookits and backdoors (and also learning from other open source tools). Generally the chkrootkit rules cause less false positives, but more false negatives (since they were built based on a few rootkits). On ossec, I tried to make it broader and less malware specific (if that is possible)...
Anyway, I will remove this false positive on the rules for the next version.. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/25/06, haps <[EMAIL PROTECTED]> wrote:
I got an alert shortly after starting it up for the first time: Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): Trojaned version of file '/bin/lsof' detected. Signature used: '/prof|/dev/[^pcmnfk]|proc\.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Trojan) This was very cool. The problem is that I built the dang thing (lsof). Not that the source code couldn't have been contaminated. So I tried to figure out what trojan it was. # strings /usr/bin/lsof | egrep "/prof|/dev/[^pcmnfk]|proc\.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp" /dev/allkmem # I did a search through some of the other rootkit detectors and I found that chkrootkit looks for /prof, and rkhunter doesn't use strings. Can you tell me how you came up with your rules? --HAPS
