Hi,
I see these false alarms too on a busy mail server with lots of pop,
smtp & milter processes, so I assume it's to do with the timing of the
checks. It's always a different high port and fairly infrequent.
time netstat -an
real 0m0.218s (lots of open ports, sockets)
I also see this false positive:
Anomaly detected in file '/tmp/clamav-e43e67caaaeca43d'. Hidden from stats, but
showing up on readdir. Possible kernel level rootkit.
clamav-milter writes to tmp & removes quickly also.
Ken A
Pacific.Net
Daniel Cid wrote:
Hi Jeremy,
You are the second person to report problems with this check on ossec,
so I guess there might be something wrong in there. Are these ports opened
and closed very fast or are they supposed to be always open? From your
e-mail, I get the impression that they are always opened and listening.
If you do a netstat and grep for port 43385, can you see it there? There is
no way to disable these checks for one specific interface...
The following post explains how we do these checks:
http://www.ossec.net/ossec-list/2007-January/msg00075.html
*Which OS + uname -a do you have?
Thanks,
Daniel B. Cid
dcid ( at ) ossec.net
On 1/29/07, Jeremy Melanson <[EMAIL PROTECTED]> wrote:
Hello all.
I have several machines in a high-capacity Oracle database environment
that I have running with OSSEC. The machines have a separate, dedicated
network for that Oracle uses for heartbeat and replication. The
interfaces that are connected to this network often have arbitray
high-ports enabled and listening, which produces alerts similar to the
following:
OSSEC HIDS Notification.
2007 Jan 29 13:12:04
Received From: (pkdb2) 192.168.16.212->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):
Port '43385'(tcp) hidden. Kernel-level rootkit or trojaned version of
netstat.
--END OF NOTIFICATION
What I'm trying to figure out is if there might be any way to disable
RootCheck on a specific network interface.
-----
Jeremy
