Hi Peter (and Scott)
Thanks for the feedback. I will fix those false positives for the next version.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 3/31/07, G E Scott Knauss <[EMAIL PROTECTED]> wrote:
Peter,
I can confirm that all of my SuSE10.2 boxes with ossec (5) have had the
same alerts, some of them with no network conectivtiy before ossec was
installed. So yes, I believe this is a false positive.
v/r
Scott
On Fri, 2007-03-30 at 03:18 +0800, Peter Kaye wrote:
Hi All,
I spoke with Hanashi on the IRC channel and he held my hand through a few
alerts that appeared in my mailbox. This alert appeared on both of my (quite
recently installed) SuSE 10.2 systems. SuSE 10.2 comes with the chess program
Phalanx installed by default and it cannot be easily removed due to
dependencies. Can you confirm this as a false positive. I also encountered
the ZK Rootkit warning which appears to already have been noted as a false
positive for SuSE 10.1, so it appears this has not changed in 10.2 (the alert
for that is not shown in this list).
Thankyou all for your patience.
OSSEC HIDS Notification.
2007 Mar 30 02:23:57
Received From: holocron->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):
File '/dev/shm/sysconfig/ready-eth0' present on /dev. Possible hidden file.
--END OF NOTIFICATION
OSSEC HIDS Notification.
2007 Mar 30 02:23:57
Received From: holocron->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):
File '/dev/shm/sysconfig/ifup-eth0' present on /dev. Possible hidden file.
--END OF NOTIFICATION
OSSEC HIDS Notification.
2007 Mar 30 02:23:57
Received From: holocron->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):
File '/dev/shm/sysconfig/if-eth0' present on /dev. Possible hidden file.
--END OF NOTIFICATION
OSSEC HIDS Notification.
2007 Mar 30 02:23:57
Received From: holocron->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):
File '/dev/shm/sysconfig/ifup-lo' present on /dev. Possible hidden file.
--END OF NOTIFICATION
OSSEC HIDS Notification.
2007 Mar 30 02:23:57
Received From: holocron->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):
File '/dev/shm/sysconfig/if-lo' present on /dev. Possible hidden file.
--END OF NOTIFICATION
OSSEC HIDS Notification.
2007 Mar 30 02:23:57
Received From: holocron->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):
File '/dev/shm/sysconfig/network' present on /dev. Possible hidden file.
--END OF NOTIFICATION
OSSEC HIDS Notification.
2007 Mar 30 02:23:57
Received From: holocron->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):
File '/dev/shm/sysconfig/tmp/test' present on /dev. Possible hidden file.
--END OF NOTIFICATION
OSSEC HIDS Notification.
2007 Mar 30 02:23:57
Received From: holocron->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):
File '/dev/shm/sysconfig/ready-lo' present on /dev. Possible hidden file.
--END OF NOTIFICATION
OSSEC HIDS Notification.
2007 Mar 30 02:23:57
Received From: holocron->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):
File '/dev/shm/sysconfig/config-lo' present on /dev. Possible hidden file.
--END OF NOTIFICATION
OSSEC HIDS Notification.
2007 Mar 30 02:23:57
Received From: holocron->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):
File '/dev/shm/sysconfig/config-eth0' present on /dev. Possible hidden file.
--END OF NOTIFICATION
OSSEC HIDS Notification.
2007 Mar 30 02:23:57
Received From: holocron->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):
File '/dev/shm/sysconfig/new-stamp-2' present on /dev. Possible hidden file.
--END OF NOTIFICATION
OSSEC HIDS Notification.
2007 Mar 30 02:23:57
Received From: holocron->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):
File '/dev/shm/sysconfig/new-stamp-1' present on /dev. Possible hidden file.
--END OF NOTIFICATION
OSSEC HIDS Notification.
2007 Mar 30 02:24:00
Received From: holocron->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):
Rootkit 'PHALANX' detected by the presence of file '/usr/bin/phalanx'.
G E Scott Knauss [EMAIL PROTECTED] or [EMAIL PROTECTED]
ECRNOC Naples, IT [EMAIL PROTECTED]
Lead Network Engineer
DSN: 314-626-4854
Comm: 39-081-568-4854
Cell: 39-333-224-9323
