fwiw, I have seen this behavior frequently on very busy mail relays that open and close sockets very quickly and have large process tables. It's 'jitter' from processes exiting.
On Thursday, April 21, 2011 at 4:45 PM, Castle, Shane wrote: I dunno. Logic sez that if it's not netstat, it's a rootkit. A casual check for solaris (I notice you don't say which version) and tcp/855 yields no enlightenment. There's some suggestion that this is an artifact of running NFS. As an old NIS/NFS guy, my advice is "don't" when faced with the temptation of activating NFS. It'll only lead to baldness and heartbreak. I'd find out why netstat is lying to you. If you're convinced everything is cool and copacetic (wait, can't be, the OS is solaris) then go ahead and fix the rootcheck detection. -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of upen Sent: Thursday, April 21, 2011 12:17 To: ossec-list Subject: [ossec-list] netstat anomaly on solaris Hi , I am wondering how to make ossec avoid checking 'netstat' or atleast help me filter these emails. I have made sure netstat isn't an issue on the system. Received From: sparc-server>rootcheck Rule: 100040 fired (level 7) -> "Host-based anomaly detection event (rootcheck)" Portion of the log(s): Port '855'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. Thanks
