Hi all, I'm trying out OSSEC for the first time and was pleasantly surprised by how easy it is to use and set up. However, I've come across a problem I'm not sure how to address - I run linux-vserver, and because of this, OSSEC sends a lot of these alerts:
Received From: (lab07.lab) 192.168.2.107->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Port '33916'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. I found a previous post, and the answer back then was just to disable rootkit detection: http://www.mail-archive.com/[email protected]/msg00011.html Is this still the only way to get around this netstat error in OSSEC? Thanks, Victor
