Rootkit configuration allows for several types of checking: "f", "r", "p", "d" , which mean FILE, REGISTRY, PROCESS, DIRECTORY.
Pasting your modified rootcheck file may help solving the issue you encountered. On Tuesday, June 18, 2013 8:22:51 AM UTC-7, Janelle wrote: > > Hello -- > > I'm new to the group and using OSSEC. I recently came across this error: > > ossec-rootcheck(1252): ERROR: Invalid rk configuration value: 'f'. > > and it has me confused. Although I think I found the problem, but not sure > why. It seems that if the files read by rootkit end with txt on a line, it > generates this error, but if I add a blank line to all the files listed for > rootkit, the error goes away. I am baffled by this. Of course if I run it > with no changes - right after an install, it works fine, but if I start > adding my own rootkit or audit checks in the middle of the files, or add a > new file to load/use, then I start getting this error. > > Also, there is not a single file that ends in "f" on the line - all the > files had ended with #EOF - as was the default in the base configuration. > > Any help or suggestions? Is there a way to debug rootkit/audit rules? > > Thank you, > ~J > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
