From owner-freebsd-questions@FreeBSD.ORG Thu Nov 24 11:25:27 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B9F971065672 for ; Thu, 24 Nov 2011 11:25:27 +0000 (UTC) (envelope-from nvass@gmx.com) Received: from mailout-eu.gmx.com (mailout-eu.gmx.com [213.165.64.45]) by mx1.freebsd.org (Postfix) with SMTP id 2CD788FC08 for ; Thu, 24 Nov 2011 11:25:27 +0000 (UTC) Received: (qmail invoked by alias); 24 Nov 2011 11:25:25 -0000 Received: from adsl-21.109.242.9.tellas.gr (EHLO [192.168.73.193]) [109.242.9.21] by mail.gmx.com (mp-eu002) with SMTP; 24 Nov 2011 12:25:25 +0100 X-Authenticated: #46156728 X-Provags-ID: V01U2FsdGVkX1/tim8RiMXtmk95ZaI0xhD6iSDI7sQ0ZLupxqJPA7 m0crtxl1ioryWz Message-ID: <4ECE299C.5080003@gmx.com> Date: Thu, 24 Nov 2011 13:25:16 +0200 From: Nikos Vassiliadis User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10 MIME-Version: 1.0 To: Odhiambo Washington References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: Ross , freebsd-questions@freebsd.org Subject: Re: Do you run OSSEC on 9.0? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2011 11:25:27 -0000 Since /dev contains a special filesystem which cannot be used for "simple" files and directories, I would say that the IDS needs some knowledge about it and generic file-checking rules don't apply there. This sounds like a false alert, something must have changed from 8 to 9 and/or the ossec port (and/or ossec signatures). Disclaimer: I am not an ossec user! Nikos On 11/24/2011 11:04 AM, Odhiambo Washington wrote: > Getting the same too, since I upgraded my 8.2 -> 9.0-PRE. > > Would be interested in the answers too. > > > On Thu, Nov 24, 2011 at 10:32, Ross wrote: > >> I am getting emails about hidden files in /dev. Before that (on 8.2) >> everything was OK. What should I do? >> >> >> OSSEC HIDS Notification. >> 2011 Nov 24 08:17:25 >> >> Received From: coffin->rootcheck >> Rule: 510 fired (level 7) -> "Host-based anomaly detection event >> (rootcheck)." >> Portion of the log(s): >> >> Files hidden inside directory '/dev'. Link count does not match number >> of files (9,27). >> >> >> >> --END OF NOTIFICATION >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> > > > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"