[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: File anomalies

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: File anomalies
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Thu, 7 Jun 2007 21:38:11 -0300
Cc: "Clayton Dillard" <cdillard@xxxxxxxxxxxxxxxxx>
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=BtZCXOr3DQalNT1/6jt3mG+vyCZaKwFqAY99ZisrIqgzFq0Q1YfRje3BToMKcuG/IBDVc6jE8SVGdu1tFNAFKRGWCq1w9ukfCf9OWYh7dN75yN6gDffV8wCRM8OFjdwh+tvP46Uqw2vmXFl3gIjdaYnNRQFK+aEN5nCxsjLn8ZM=

Hi Clayton,

It seems to be a false positive. Basically, ossec tries the following:

-Open every directory on the system and list the files (readdir).
-For every file that it found on "readdir", it tries the *stat call to
see if the
system can see it too.

*http://www.openbsd.org/cgi-bin/man.cgi?query=stat&sektion=2

Some kernel level rootkits, "hijack" the stat system call, hiding the
file from it,
but they do not hide it from readdir...

More info about rootcheck:
http://www.ossec.net/dcid/?p=25

Anyway, since it is a cache file, I wouldn't be too concerned about
it. If you want
to do not receive these messages anymore, create a local rule ignoring it:

<rule id="100450" level="0">
    <if_sid>510</if_sid>
    <match>Anomaly detected in file
'/usr/local/apache2/htdocs/janeway/cache</match>
    <description>Ignored rootcheck message</description>
  </rule>

http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules

hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net


On 6/7/07, Clayton Dillard <cdillard@xxxxxxxxxxxxxxxxx> wrote:
>
>  Can someone provide some insight into why this alert is being fired?  I get a lot of these alerts every day.
>
>  Anomaly detected in file '/usr/local/apache2/htdocs/janeway/cache/cache_94afbfb2f291e0bf253fcf222e9d238e_1af853019d87ece6588c780714841e9b'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit.
>
>  What "stats" is the alert referring to?
>
>  Thanks,
>
>   --
>  Clayton Dillard <cdillard@xxxxxxxxxxxxxxxxx>
>  RPS Technology, LLC

Follow-Ups:
- [ossec-list] Re: File anomalies
  - From: Clayton Dillard

References:
- [ossec-list] File anomalies
  - From: Clayton Dillard

Prev by Date: [ossec-list] File anomalies
Next by Date: [ossec-list] Multiple logs
Previous by thread: [ossec-list] File anomalies
Next by thread: [ossec-list] Re: File anomalies
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.