On Fri, Nov 19, 2010 at 1:07 AM, x509v3 <[email protected]> wrote: > Hi, been running ossec for about a month now, after testing for > another month. Tonight I received the following from one my production > machines: > > OSSEC HIDS Notification. > 2010 Nov 18 19:36:56 > > Received From: (host) 10.1.1.1->rootcheck > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > (rootcheck)." > Portion of the log(s): > > Port '60256'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > > --END OF NOTIFICATION > > Host 10.1.1.1 is an IBM PowerPC host running AIX. I've seen this type > of alert on my mac at home (PowerPC running 10.4), every once in a > while. I confirmed from the Mac install DVD that the latter was a > false positive. > > It's likely that this alert is a false positive too, but taking it > offline isn't really an option unless we're sure there's an issue. > Unfortunately, alerts like this trigger a mandatory incident response > and be disruptive, so many false alarms will not be good. > > Anyone else seeing netstat-related false alarms list this?
Probably a false positive. What's the purpose of the server? Chances are a process bound and unbound a port between OSSEC trying to bind to the port and checking to see if anything is listening on that port.
