Hello -
I am one revision behind on OSSEC and I have had it installed now for about 6 months. Yesterday, I ran an "aptitude update", installed logsurfer+ version 1.7, and md5deep.
Today I received a notification I have never seen before:
#####################################################
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):
Rootkit 'Showtee' detected by the presence of file '/usr/lib/libfl.so'.
#####################################################
This was the best I could find to explain the situation I have currently encountered...
http://www.archivum.info/linux.debian.bugs.dist/2006-09/msg04221.html
So apparently when someone has flex installed, it uses the file '/usr/lib/libfl.so'. So I searched on my system for "flex", and sure enough, it was there.... according to the manpage, it generates programs that perform pattern-matching on text. (So I am only partially relieved.)
I am not sure if the flex utility got there as a result of the aptitude upgrade (more than likely), or perhaps it was installed with logsurfer+... not sure...
I checked all of my OSSEC alerts that I received after the aptitude upgrade, and none of them referenced "flex" or /usr/lib/libfl.so. I also checked the tarchive packages for any of these as well and they weren't there.
Is it possible that '/usr/lib/libfl.so' was always there and OSSEC never saw it before... I mean does OSSEC ever miss the presence of a file?
If there is anyone out there, that based on whatever experience they might have (OSSEC, Debian, Development, Security, or other) that could point me in the right direction I would greatly appreciate it... I am just trying to determine whether this is something that I am being overly paranoid about.
Thanks as always...
Tommy