On 06/26/2012 03:17 PM, Kat wrote:
Here is a problem I am trying to figure out a work-around. Looking for files that might be unauthorized copies of files. For example, /etc/passwd. But, if you add that to the rootkit_files in etc/shared - you would want to list it as */passwd -- but how could you get it to only trigger if it finds copies of passed in anyplace other than /etc?
How about creating a rule to filter out the default location (level 0)?
