Hi, can you provide me with the exact alert you are receiving ? We can possibly put a specific rule in local_rules.xml to ignore this event.
Kind Regards, Wim On 24 Dec 2009, at 09:21, Albert Ros wrote: > Dear Wim, > > But if I have a filesystem with directory .snapshot, I must add exception for > this, or constantly I am receiving alerts about possible rootkit > > '/opt/.snapshot/hourly.5/.... ...../format'. Hidden from stats, but showing > up on readdir. Possible kernel level rootkit. > > > I think that would be a method for doesn't check for rootkits in > /opt/.snapshot. > > Thanks for your response, > Albert. > > 2009/12/21 Wim Remes <[email protected]> > Hi, > > rootcheck doesn't discriminate as it's goal is to look for files and > configuration that would be consistent with the presence of a rootkit. > The ignore setting is only valid in the <syscheck> directive, like this > > <syscheck> > <directories check_all=yes>/etc,/usr/bin,/usr/sbin</directories> > > <ignore>/tmp/</ignore> > </syscheck> > > however, the ignore would only make sense if you want to ignore a directory > deeper in the hierarchy, like this > <syscheck> > <directories check_all="yes">/tmp</directories> > ... > <ignore>/tmp/dir1/dir2/dir3</ignore> > </syscheck> > > because you don't care about file changes in that specific location, but you > do in all other subfolders of /tmp. > > Hope this helps, > > Kind Regards, > > Wim > > On 21 Dec 2009, at 09:58, rosgos wrote: > > > Hi everyone, > > > > I am using ossec v2.3 on server and I have a exception in module > > rootchchek: > > > > <rootcheck> > > .............. > > <ignore>/tmp/</ignore> > > </rootcheck> > > > > I have restarted de daemon, but I am receiving alerts about changes in > > directory /tmp. > > It isn't incorrect this sitaxy in osssec.conf ? > > > > Thanks. > > Albert. > > > > > > > >
