Hi Clayton,
It seems to be a false positive. Basically, ossec tries the following:
-Open every directory on the system and list the files (readdir).
-For every file that it found on "readdir", it tries the *stat call to
see if the
system can see it too.
*http://www.openbsd.org/cgi-bin/man.cgi?query=stat&sektion=2
Some kernel level rootkits, "hijack" the stat system call, hiding the
file from it,
but they do not hide it from readdir...
More info about rootcheck:
http://www.ossec.net/dcid/?p=25
Anyway, since it is a cache file, I wouldn't be too concerned about
it. If you want
to do not receive these messages anymore, create a local rule ignoring it:
<rule id="100450" level="0">
<if_sid>510</if_sid>
<match>Anomaly detected in file
'/usr/local/apache2/htdocs/janeway/cache</match>
<description>Ignored rootcheck message</description>
</rule>
http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 6/7/07, Clayton Dillard <cdillard@xxxxxxxxxxxxxxxxx> wrote:
>
> Can someone provide some insight into why this alert is being fired? I get a lot of these alerts every day.
>
> Anomaly detected in file '/usr/local/apache2/htdocs/janeway/cache/cache_94afbfb2f291e0bf253fcf222e9d238e_1af853019d87ece6588c780714841e9b'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit.
>
> What "stats" is the alert referring to?
>
> Thanks,
>
> --
> Clayton Dillard <cdillard@xxxxxxxxxxxxxxxxx>
> RPS Technology, LLC
|
-- Clayton Dillard <cdillard@xxxxxxxxxxxxxxxxx> RPS Technology, LLC |