[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] 0.9 rootkit false positives with files > 2GB?

To: ossec-list@xxxxxxxxx
Subject: [ossec-list] 0.9 rootkit false positives with files > 2GB?
From: Unit3 <unit3@xxxxxxxxx>
Date: Tue, 08 Aug 2006 13:05:05 -0600

This may have been posted already, but I don't see an easy way to search
the archives, nor a recent post about it, so I figured I should ask.

I'm seeing some false positive rootkit detection on my Ubuntu/dapper
system after a fresh install of 0.9:

Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):

Anomaly detected in file '/var/lib/mysql/ibdata1'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit.


Now, that file isn't a rootkit, but it *is* 2.6 GB. I got the same message about a backup file over 4GB that I had in /root/. I'm running xfs as my root filesystem, and AFAIK Ubuntu's tools are all large file safe, so it seems like it's OSSEC that's having problems with large files?

If there's a config option I missed or something similar, just give me a URL and an RTFM. ;)

Thanks,
Graeme

Follow-Ups:
- [ossec-list] Re: 0.9 rootkit false positives with files > 2GB?
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: Whitelisting and netmasks
Next by Date: [ossec-list] Re: File /dev/.static/dev/null0 present on /dev. Possible hidden file.
Previous by thread: [ossec-list] Re: Whitelisting and netmasks
Next by thread: [ossec-list] Re: 0.9 rootkit false positives with files > 2GB?
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.