[ossec-list] Possible rootkit false positive for Debian? - Advice

[tommymay@xxxxxxxxxxx (Tommy May)]

Hello - 

I am one revision behind on OSSEC and I have had it installed now for about 6 months.  Yesterday, I ran an "aptitude update", installed logsurfer+ version 1.7, and md5deep.

Today I received a notification I have never seen before:

#####################################################

Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):

Rootkit 'Showtee' detected by the presence of file '/usr/lib/libfl.so'.

#####################################################

This was the best I could find to explain the situation I have currently encountered...

http://www.archivum.info/linux.debian.bugs.dist/2006-09/msg04221.html

So apparently when someone has flex installed, it uses the file '/usr/lib/libfl.so'.  So I searched on my system for "flex", and sure enough, it was there.... according to the manpage, it generates programs that perform pattern-matching on text.  (So I am only partially relieved.)

 I am not sure if the flex utility got there as a result of the aptitude upgrade (more than likely), or perhaps it was installed with logsurfer+... not sure...

I checked all of my OSSEC alerts that I received after the aptitude upgrade, and none of them referenced "flex" or /usr/lib/libfl.so.  I also checked the tarchive packages for any of these as well and they weren't there.

Is it possible that '/usr/lib/libfl.so' was always there and OSSEC never saw it before... I mean does OSSEC ever miss the presence of a file?

If there is anyone out there, that based on whatever experience they might have (OSSEC, Debian, Development, Security, or other) that could point me in the right direction I would greatly appreciate it...  I am just trying to determine whether this is something that I am being overly paranoid about.


Thanks as always...

Tommy