Hello all. I have several machines in a high-capacity Oracle database environment that I have running with OSSEC. The machines have a separate, dedicated network for that Oracle uses for heartbeat and replication. The interfaces that are connected to this network often have arbitray high-ports enabled and listening, which produces alerts similar to the following:
OSSEC HIDS Notification. 2007 Jan 29 13:12:04 Received From: (pkdb2) 192.168.16.212->rootcheck Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): Port '43385'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. --END OF NOTIFICATION What I'm trying to figure out is if there might be any way to disable RootCheck on a specific network interface. ----- Jeremy
