Re: [ossec-list] disable netstat check OSSEC 2.6

Wed, 27 Feb 2013 19:34:06 -0800 

In 2.7, rootcheck port check can be turned off through configuration:
     <ossec_config>
          <rootcheck>
            <check_ports>no</check_ports>
...
          </rootcheck>

See details in http://www.ossec.net/files/ossec-hids-2.7-release-note.txt. 

=== Rootcheck 
    == support rootcheck fine-grain configuration control -- yes/no of 
individual checks
       - etc/ossec.conf

         <ossec_config>
          <rootcheck>
           <!-- new options to run on/off individual rootchecks, 
yes(default)/no -->
            <check_files>yes</check_files>
            <check_trojans>yes</check_trojans>
            <check_unixaudit>yes</check_unixaudit>
            <check_dev>yes</check_dev>
            <check_sys>yes</check_sys>
            <check_ports>yes</check_ports>
            <check_if>yes</check_if>
            <check_pids>yes</check_pids>
         </rootcheck>
        </ossec_config>

On Wednesday, February 27, 2013 6:19:46 AM UTC-8, Michiel van Es wrote:
>
> Hi Dan,
>
> I am sorry, we tracked it down to a local issue.
> I meant this issue; 
> https://www.google.nl/search?q=ossec+netstat+high+load&aq=f&oq=ossec+netstat&aqs=chrome.0.59j57j60l2j62l2.1843&sourceid=chrome&ie=UTF-8
>
> Seemed to be a common issue in the past where people were advised to 
> disable this check.
>
> Michiel
>
> Op woensdag 27 februari 2013 15:14:11 UTC+1 schreef dan (ddpbsd) het 
> volgende:
>>
>> On Wed, Feb 27, 2013 at 9:02 AM, Michiel van Es <[email protected]> 
>> wrote: 
>> > Hello, 
>> > 
>> > I've read a lot of theads about 'the netstat issue' and OSSECs' rootkit 
>> > check. 
>> > How can I disable the netstat check on a running 2.6 server (RHEL 6, 
>> install 
>> > from source) without recompiling? 
>> > Or do I have to disable rootkit checks completely? 
>> > 
>> > Is this issue fixed in 2.7? 
>> > 
>>
>> What 'the netstat issue' are you talking about? 
>>
>> > Kind regards, 
>> > 
>> > Michiel 
>> > 
>> > -- 
>> > 
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups 
>> > "ossec-list" group. 
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an 
>> > email to [email protected]. 
>> > For more options, visit https://groups.google.com/groups/opt_out. 
>> > 
>> > 
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to