[ossec-list] Re: 0.9 rootkit false positives with files > 2GB?

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Graeme,

On some Linux distributions you need to specify _FILE_OFFSET_BITS=64 and
_LARGEFILE64_SOURCE to add support for large files. I was doing this
automatically
on previous versions, but by mistake I removed it from the makefile of rootcheck
(but all other daemons still support it). To fix that, just edit
src/Config.Make,
add the following to the CFLAGS and recompile ossec:

-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64

In addition to that, for OpenBSD and other systems (I think FreeBSD and some
linux distros) the offset is by default 64 bits, so you don't need to
make these
changes...

*it will be fixed by default in the next version.

Thanks for the report.

--
Daniel B. Cid
dcid ( at  ) ossec.net

On 8/8/06, Unit3 <unit3@xxxxxxxxx> wrote:
> This may have been posted already, but I don't see an easy way to search
> the archives, nor a recent post about it, so I figured I should ask.
>
> I'm seeing some false positive rootkit detection on my Ubuntu/dapper
> system after a fresh install of 0.9:
>
> Rule: 14 fired (level 8) -> "Rootkit detection engine message"
> Portion of the log(s):
>
> Anomaly detected in file '/var/lib/mysql/ibdata1'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit.
>
>
> Now, that file isn't a rootkit, but it *is* 2.6 GB. I got the same message about a backup file over 4GB that I had in /root/. I'm running xfs as my root filesystem, and AFAIK Ubuntu's tools are all large file safe, so it seems like it's OSSEC that's having problems with large files?
>
> If there's a config option I missed or something similar, just give me a URL and an RTFM. ;)
>
> Thanks,
> Graeme