I just disabled cups on my server (no printer, no need to print) and OSSEC reported
Port '631'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat A quick check of netstat shows $ sudo netstat -anp |grep 631 udp 0 0 0.0.0.0:631 0.0.0.0:* 1125/portreserve And Googling tells me that portreserve is there to make sure that if I were to start cups later, the necessary port would be available. Should OSSEC be modified to be aware of ports held by portreserve? System is CentOS 6.2. -- -- Steve