Hi Daniel, I just tried the tip version. Compiling and updating was ok, but when I start:
/var/ossec/bin/agent_control -r -a 2012/04/28 07:39:58 agent_control(1210): ERROR: Queue '/queue/alerts/ar' not accessible: 'Queue not found'. 2012/04/28 07:40:13 agent_control(1301): ERROR: Unable to connect to active response queue. ** Unable to connect to remoted. Mike 2012/4/26 Daniel Cid <[email protected]> > It should be fixed on the latest snapshot here: > > https://bitbucket.org/dcid/ossec-hids/overview > > Can you try it out and see if it works? > > On Tue, Apr 24, 2012 at 4:25 PM, Eero Volotinen <[email protected]> > wrote: > > 2012/4/24 Mike Sievers <[email protected]>: > >> Hi, > >> > >> ossec version is 2.6 > >> md5sum: 5a8582fbad878819fdcc598d15902b57 /sbin/init > >> (dont´t know yet if it is ok) > >> > >> Mike > >> > >> > >> 2012/4/23 dan (ddp) <[email protected]> > >> > >>> What version of OSSEC? > >>> Does the md5 or sha for /sbin/init match what it should? > >>> > >>> On Sun, Apr 22, 2012 at 8:41 AM, Mike Sievers > >>> <[email protected]> wrote: > >>> > Hi List, > >>> > > >>> > on my opensuse 12.1 I found: > >>> > Trojaned version of file '/sbin/init' detected. Signature used: > 'HOME' > >>> > (Suckit rootkit). > >>> > I hope this is false positive, isn´t it? > >>> > And some alerts like this: > >>> > File '/dev/.sysconfig/network/config-lo' present on /dev. Possible > >>> > hidden > >>> > file. > >>> > > >>> > ??? > >> > >> > > > > How about checking from package manager: > > > > rpm -qf /sbin/init (what provides that package) > > rpm --verify package-name > > > > example from centos 6.2 > > > > [root@xxx ~]# rpm -qf /sbin/init > > upstart-0.6.5-10.el6.x86_64 > > [root@xx ~]# rpm -V upstart > > > > > > > > -- > > Eero >
