OSSEC tries to bind to the port and checks the output of netstat and compares the results. If they don't match up it reports it. This could be a sign that a process had bound to a port when it checked the first part, and the process was dead when it tried the second check.
It could also mean that netstat has been changed out with a "bad" version. Check the md5 of the netstat command to make sure it hasn't changed. On Tue, Oct 19, 2010 at 10:36 AM, tux3132 <tux3...@gmail.com> wrote: > Hi > > I have this level 7 alert fired by #510 rule: > > Port '40848'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat > > No over alerts of this level since one month ... > > Is this a false positive ? (I hope ... ) > > Best regards.