Hello! First let me express how impressed I am with OSSEC! This is a great tool!
I just installed OSSEC and have a server and 1 agent (so far). However the agent fired off the following notifications quickly after being installed. This is an Ubuntu Edgy server install with ssh and vsftp. I'm not experienced enough with either linux or Ubuntu to know if these are standard files or not. Thanks for your help! LNick ---- OSSEC HIDS Notification. 2007 Mar 20 16:53:39 Received From: (MB_FTP) 10.1.1.9->rootcheck Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): File '/sys/module/sbs/parameters/update_mode' is owned by root and has written permissions to anyone. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Mar 20 16:53:40 Received From: (MB_FTP) 10.1.1.9->rootcheck Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): File '/sys/module/sbs/parameters/capacity_mode' is owned by root and has written permissions to anyone. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Mar 20 16:53:27 Received From: (MB_FTP) 10.1.1.9->rootcheck Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): File '/dev/bus/usb/.usbfs/001/001' present on /dev. Possible hidden file. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Mar 20 16:53:28 Received From: (MB_FTP) 10.1.1.9->rootcheck Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): File '/dev/bus/usb/.usbfs/devices' present on /dev. Possible hidden file. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Mar 20 16:53:28 Received From: (MB_FTP) 10.1.1.9->rootcheck Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): Anomaly detected in file '/dev/bus/usb/.usbfs/devices'. File size doesn't match what we found. Possible kernel level rootkit. --END OF NOTIFICATION
