[ossec-list] Maybe a false positive with rule 510

[carlopmart]

Hi all,

 Recentlly my OSSEC server fired some strange alarms like this:
** Alert 1299172717.237104: mail  - ossec,rootcheck,
2011 Mar 03 18:18:37 (rhelclunode02) 172.25.50.15->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
Anomaly detected in file '/dev/shm/request_buffer-dAihk0'. Hidden from 
stats, but showing up on readdir. Possible kernel level rootkit.

** Alert 1299172717.237456: mail  - ossec,rootcheck,
2011 Mar 03 18:18:37 (rhelclunode02) 172.25.50.15->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
Anomaly detected in file '/dev/shm/control_buffer-ru8tPJ'. Hidden from 
stats, but showing up on readdir. Possible kernel level rootkit.

 rhelclunode02 is a RHEL6 host with corosync, cman, gfs2-tools and 
rgmanager utils (RedHat Cluster suite).

 using lsof output is:

[root@rhelclunode02 shm]# lsof |grep control_buffer
corosync   1138    root  DEL       REG               0,15 
10428 /dev/shm/control_buffer-9fxbY1
corosync   1138    root  DEL       REG               0,15 
 9218 /dev/shm/control_buffer-1mXd0R
corosync   1138    root  DEL       REG               0,15 
 9113 /dev/shm/control_buffer-mTF2Ce
corosync   1138    root  DEL       REG               0,15 
 9001 /dev/shm/control_buffer-OVi71x
corosync   1138    root  DEL       REG               0,15 
 8809 /dev/shm/control_buffer-o1dQ5O
corosync   1138    root  DEL       REG               0,15 
 8735 /dev/shm/control_buffer-vBpxIn
corosync   1138    root  DEL       REG               0,15 
 8741 /dev/shm/control_buffer-W1rVPz
fenced     1199    root  DEL       REG               0,15 
 9113 /dev/shm/control_buffer-mTF2Ce
fenced     1199    root  DEL       REG               0,15 
 8809 /dev/shm/control_buffer-o1dQ5O
dlm_contr  1216    root  DEL       REG               0,15 
10428 /dev/shm/control_buffer-9fxbY1
dlm_contr  1216    root  DEL       REG               0,15 
 9218 /dev/shm/control_buffer-1mXd0R
dlm_contr  1216    root  DEL       REG               0,15 
 8741 /dev/shm/control_buffer-W1rVPz
dlm_contr  1216    root  DEL       REG               0,15 
 8735 /dev/shm/control_buffer-vBpxIn
gfs_contr  1270    root  DEL       REG               0,15 
 9001 /dev/shm/control_buffer-OVi71x
[root@rhelclunode02 shm]# lsof |grep control_buffer-ru8tPJ
[root@rhelclunode02 shm]# lsof |grep request_buffer-
corosync   1138    root  DEL       REG               0,15 
10429 /dev/shm/request_buffer-zSLv1E
corosync   1138    root  DEL       REG               0,15 
 9219 /dev/shm/request_buffer-k633xg
corosync   1138    root  DEL       REG               0,15 
 9114 /dev/shm/request_buffer-KjbfSx
corosync   1138    root  DEL       REG               0,15 
 9002 /dev/shm/request_buffer-Gmeo3Q
corosync   1138    root  DEL       REG               0,15 
 8810 /dev/shm/request_buffer-AieBL7
corosync   1138    root  DEL       REG               0,15 
 8736 /dev/shm/request_buffer-JI55eG
corosync   1138    root  DEL       REG               0,15 
 8742 /dev/shm/request_buffer-DjNinS
fenced     1199    root  DEL       REG               0,15 
 9114 /dev/shm/request_buffer-KjbfSx
fenced     1199    root  DEL       REG               0,15 
 8810 /dev/shm/request_buffer-AieBL7
dlm_contr  1216    root  DEL       REG               0,15 
10429 /dev/shm/request_buffer-zSLv1E
dlm_contr  1216    root  DEL       REG               0,15 
 9219 /dev/shm/request_buffer-k633xg
dlm_contr  1216    root  DEL       REG               0,15 
 8742 /dev/shm/request_buffer-DjNinS
dlm_contr  1216    root  DEL       REG               0,15 
 8736 /dev/shm/request_buffer-JI55eG
gfs_contr  1270    root  DEL       REG               0,15 
 9002 /dev/shm/request_buffer-Gmeo3Q

 Maybe is it a false positive?? can I configure more verbose options 
for this alarm??

Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com