This may have been posted already, but I don't see an easy way to search the archives, nor a recent post about it, so I figured I should ask.
I'm seeing some false positive rootkit detection on my Ubuntu/dapper system after a fresh install of 0.9: Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): Anomaly detected in file '/var/lib/mysql/ibdata1'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit. Now, that file isn't a rootkit, but it *is* 2.6 GB. I got the same message about a backup file over 4GB that I had in /root/. I'm running xfs as my root filesystem, and AFAIK Ubuntu's tools are all large file safe, so it seems like it's OSSEC that's having problems with large files? If there's a config option I missed or something similar, just give me a URL and an RTFM. ;) Thanks, Graeme