Hi Brian, Thanks for the report. It has been fixed on the latest snapshot.
-- Daniel B. Cid dcid ( at ) ossec.net On Fri, Jan 1, 2010 at 3:00 PM, Brian Mastenbrook <[email protected]> wrote: > The latest version of GNU coreutils (8.2) contains a reference to /dev/ > null in /bin/du, which is triggering a trojan alert with OSSEC 2.3. > The rule which causes this is in etc/shared/rootkit_trojans.txt: > > du !/dev|w0rm|/prof|file\.h! > > The matching pattern in /bin/du: > > [r...@mumble ~]# strings /bin/du | egrep '/dev|w0rm|/prof|file\.h' > /dev/null > > This binary of du is from Arch Linux. I've rebuilt coreutils 8.2 from > source on another machine and this string does appear in the binary. > Since other distributions are likely to upgrade coreutils soon, it > would probably be a good idea to relax this rule. > > Thanks, > > Brian >
