I suppose it could if you monitor the directories where the binaries live that can be modified, and providing the attacker doesn't recognize and disable Ossec in some fashion. Ossec can monitor changes to directories for file changes.
Look under syscheck options in the manual: http://www.ossec.net/main/manual/#config ...see you on newsforge. Has On Jan 24, 2008 8:57 AM, Joe Barr <[EMAIL PROTECTED]> wrote: > > > Does OSSEC detect this new rootkit? > > > -- > ./configure > checking build system type... i686-pc-linux-gnu > checking host system type... i686-pc-linux-gnu > checking for gcc... gcc > checking for corrupt government... yes > >
