Do you run OSSEC on 9.0?
Nikos Vassiliadis
nvass at gmx.com
Thu Nov 24 11:25:27 UTC 2011
Since /dev contains a special filesystem which cannot
be used for "simple" files and directories, I would say
that the IDS needs some knowledge about it and generic
file-checking rules don't apply there.
This sounds like a false alert, something must have changed
from 8 to 9 and/or the ossec port (and/or ossec signatures).
Disclaimer: I am not an ossec user!
Nikos
On 11/24/2011 11:04 AM, Odhiambo Washington wrote:
> Getting the same too, since I upgraded my 8.2 -> 9.0-PRE.
>
> Would be interested in the answers too.
>
>
> On Thu, Nov 24, 2011 at 10:32, Ross<basarevych at gmail.com> wrote:
>
>> I am getting emails about hidden files in /dev. Before that (on 8.2)
>> everything was OK. What should I do?
>>
>>
>> OSSEC HIDS Notification.
>> 2011 Nov 24 08:17:25
>>
>> Received From: coffin->rootcheck
>> Rule: 510 fired (level 7) -> "Host-based anomaly detection event
>> (rootcheck)."
>> Portion of the log(s):
>>
>> Files hidden inside directory '/dev'. Link count does not match number
>> of files (9,27).
>>
>>
>>
>> --END OF NOTIFICATION
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "
>> freebsd-questions-unsubscribe at freebsd.org"
>>
>
>
>
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list