Do you run OSSEC on 9.0?
nvass at gmx.com
Thu Nov 24 11:25:27 UTC 2011
Since /dev contains a special filesystem which cannot
be used for "simple" files and directories, I would say
that the IDS needs some knowledge about it and generic
file-checking rules don't apply there.
This sounds like a false alert, something must have changed
from 8 to 9 and/or the ossec port (and/or ossec signatures).
Disclaimer: I am not an ossec user!
On 11/24/2011 11:04 AM, Odhiambo Washington wrote:
> Getting the same too, since I upgraded my 8.2 -> 9.0-PRE.
> Would be interested in the answers too.
> On Thu, Nov 24, 2011 at 10:32, Ross<basarevych at gmail.com> wrote:
>> I am getting emails about hidden files in /dev. Before that (on 8.2)
>> everything was OK. What should I do?
>> OSSEC HIDS Notification.
>> 2011 Nov 24 08:17:25
>> Received From: coffin->rootcheck
>> Rule: 510 fired (level 7) -> "Host-based anomaly detection event
>> Portion of the log(s):
>> Files hidden inside directory '/dev'. Link count does not match number
>> of files (9,27).
>> --END OF NOTIFICATION
>> freebsd-questions at freebsd.org mailing list
>> To unsubscribe, send any mail to "
>> freebsd-questions-unsubscribe at freebsd.org"
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions