Date: Thu, 24 Nov 2011 13:25:16 +0200 From: Nikos Vassiliadis <nvass@gmx.com> To: Odhiambo Washington <odhiambo@gmail.com> Cc: Ross <basarevych@gmail.com>, freebsd-questions@freebsd.org Subject: Re: Do you run OSSEC on 9.0? Message-ID: <4ECE299C.5080003@gmx.com> In-Reply-To: <CAAdA2WMXBZdCkxas=yT=YSYu4P6HE7sUKOvZRvHdhCx9m7GnTQ@mail.gmail.com> References: <CANmv3=yDOqZQ0E%2B9EE1i3a5vXBs7D7tvQx7Ag27Rc1Ba9ZJGbQ@mail.gmail.com> <CAAdA2WMXBZdCkxas=yT=YSYu4P6HE7sUKOvZRvHdhCx9m7GnTQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Since /dev contains a special filesystem which cannot be used for "simple" files and directories, I would say that the IDS needs some knowledge about it and generic file-checking rules don't apply there. This sounds like a false alert, something must have changed from 8 to 9 and/or the ossec port (and/or ossec signatures). Disclaimer: I am not an ossec user! Nikos On 11/24/2011 11:04 AM, Odhiambo Washington wrote: > Getting the same too, since I upgraded my 8.2 -> 9.0-PRE. > > Would be interested in the answers too. > > > On Thu, Nov 24, 2011 at 10:32, Ross<basarevych@gmail.com> wrote: > >> I am getting emails about hidden files in /dev. Before that (on 8.2) >> everything was OK. What should I do? >> >> >> OSSEC HIDS Notification. >> 2011 Nov 24 08:17:25 >> >> Received From: coffin->rootcheck >> Rule: 510 fired (level 7) -> "Host-based anomaly detection event >> (rootcheck)." >> Portion of the log(s): >> >> Files hidden inside directory '/dev'. Link count does not match number >> of files (9,27). >> >> >> >> --END OF NOTIFICATION >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> > > > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4ECE299C.5080003>