I also have other alerts as this: Received From: xxx->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s):
File '/dev/cpuset/x...@575792/memory_spread_slab' present on /dev. Possible hidden file. Received From: xxx->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): File '/dev/cpuset/x...@575792/memory_spread_page' present on /dev. Possible hidden file. 2010/1/12 Albert Ros <[email protected]> > Hi, > > I'm receiving this alert: > > OSSEC HIDS Notification. > 2010 Jan 12 07:53:45 > > Received From: server->rootcheck > Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." > > Portion of the log(s): > > File '*/tmp/home_nfs/*.snapshot/hourly.5/home/xxx/file.txt' is owned by root > and has written permissions to anyone. > > > > --END OF NOTIFICATION > > > > and I want that exclude the directory .snapshot for all agents. It is > possible as You said, adding a rule in local_rules.xml ?? > > Thanks, > Albert. > > > 2009/12/24 Wim Remes <[email protected]> > > Hi, >> >> can you provide me with the exact alert you are receiving ? >> We can possibly put a specific rule in local_rules.xml to ignore this >> event. >> >> Kind Regards, >> >> Wim >> >> On 24 Dec 2009, at 09:21, Albert Ros wrote: >> >> Dear Wim, >> >> But if I have a filesystem with directory .snapshot, I must add exception >> for this, or constantly I am receiving alerts about possible rootkit >> >> '*/opt/*.snapshot/hourly.5/.... ...../format'. Hidden from stats, but >> showing up on readdir. Possible kernel level rootkit. >> >> >> I think that would be a method for doesn't check for rootkits in >> /opt/.snapshot. >> >> Thanks for your response, >> Albert. >> >> 2009/12/21 Wim Remes <[email protected]> >> >>> Hi, >>> >>> rootcheck doesn't discriminate as it's goal is to look for files and >>> configuration that would be consistent with the presence of a rootkit. >>> The ignore setting is only valid in the <syscheck> directive, like this >>> >>> <syscheck> >>> <directories check_all=yes>/etc,/usr/bin,/usr/sbin</directories> >>> >>> <ignore>/tmp/</ignore> >>> </syscheck> >>> >>> however, the ignore would only make sense if you want to ignore a >>> directory deeper in the hierarchy, like this >>> <syscheck> >>> <directories check_all="yes">/tmp</directories> >>> ... >>> <ignore>/tmp/dir1/dir2/dir3</ignore> >>> </syscheck> >>> >>> because you don't care about file changes in that specific location, but >>> you do in all other subfolders of /tmp. >>> >>> Hope this helps, >>> >>> Kind Regards, >>> >>> Wim >>> >>> On 21 Dec 2009, at 09:58, rosgos wrote: >>> >>> > Hi everyone, >>> > >>> > I am using ossec v2.3 on server and I have a exception in module >>> > rootchchek: >>> > >>> > <rootcheck> >>> > .............. >>> > <ignore>/tmp/</ignore> >>> > </rootcheck> >>> > >>> > I have restarted de daemon, but I am receiving alerts about changes in >>> > directory /tmp. >>> > It isn't incorrect this sitaxy in osssec.conf ? >>> > >>> > Thanks. >>> > Albert. >>> > >>> > >>> > >>> >>> >> >> >
