You rock Daniel. Thanks!
On Thu, 2007-06-07 at 21:38 -0300, Daniel Cid wrote: > Hi Clayton, > > It seems to be a false positive. Basically, ossec tries the following: > > -Open every directory on the system and list the files (readdir). > -For every file that it found on "readdir", it tries the *stat call to > see if the > system can see it too. > > *http://www.openbsd.org/cgi-bin/man.cgi?query=stat&sektion=2 > > Some kernel level rootkits, "hijack" the stat system call, hiding the > file from it, > but they do not hide it from readdir... > > More info about rootcheck: > http://www.ossec.net/dcid/?p=25 > > Anyway, since it is a cache file, I wouldn't be too concerned about > it. If you want > to do not receive these messages anymore, create a local rule ignoring it: > > <rule id="100450" level="0"> > <if_sid>510</if_sid> > <match>Anomaly detected in file > '/usr/local/apache2/htdocs/janeway/cache</match> > <description>Ignored rootcheck message</description> > </rule> > > http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules > > hope it helps. > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > On 6/7/07, Clayton Dillard <[EMAIL PROTECTED]> wrote: > > > > Can someone provide some insight into why this alert is being fired? I > > get a lot of these alerts every day. > > > > Anomaly detected in file > > '/usr/local/apache2/htdocs/janeway/cache/cache_94afbfb2f291e0bf253fcf222e9d238e_1af853019d87ece6588c780714841e9b'. > > Hidden from stats, but showing up on readdir. Possible kernel level > > rootkit. > > > > What "stats" is the alert referring to? > > > > Thanks, > > > > -- > > Clayton Dillard <[EMAIL PROTECTED]> > > RPS Technology, LLC -- Clayton Dillard <[EMAIL PROTECTED]> RPS Technology, LLC
