Re: Do you run OSSEC on 9.0?
Since /dev contains a special filesystem which cannot be used for "simple" files and directories, I would say that the IDS needs some knowledge about it and generic file-checking rules don't apply there. This sounds like a false alert, something must have changed from 8 to 9 and/or the ossec port (and/or ossec signatures). Disclaimer: I am not an ossec user! Nikos On 11/24/2011 11:04 AM, Odhiambo Washington wrote: Getting the same too, since I upgraded my 8.2 -> 9.0-PRE. Would be interested in the answers too. On Thu, Nov 24, 2011 at 10:32, Ross wrote: I am getting emails about hidden files in /dev. Before that (on 8.2) everything was OK. What should I do? OSSEC HIDS Notification. 2011 Nov 24 08:17:25 Received From: coffin->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Files hidden inside directory '/dev'. Link count does not match number of files (9,27). --END OF NOTIFICATION ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to " freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Do you run OSSEC on 9.0?
Getting the same too, since I upgraded my 8.2 -> 9.0-PRE. Would be interested in the answers too. On Thu, Nov 24, 2011 at 10:32, Ross wrote: > I am getting emails about hidden files in /dev. Before that (on 8.2) > everything was OK. What should I do? > > > OSSEC HIDS Notification. > 2011 Nov 24 08:17:25 > > Received From: coffin->rootcheck > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > (rootcheck)." > Portion of the log(s): > > Files hidden inside directory '/dev'. Link count does not match number > of files (9,27). > > > > --END OF NOTIFICATION > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ I can't hear you -- I'm using the scrambler. Please consider the environment before printing this email. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Do you run OSSEC on 9.0?
I am getting emails about hidden files in /dev. Before that (on 8.2) everything was OK. What should I do? OSSEC HIDS Notification. 2011 Nov 24 08:17:25 Received From: coffin->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Files hidden inside directory '/dev'. Link count does not match number of files (9,27). --END OF NOTIFICATION ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"