Re: ignore chkrootkit false positive
David Siroky <ml@dasir.net>:
>
> My chkrootkit is reporting "INFECTED PORT 465" where is my regular ssmtp
> Postfix daemon. I found a lots of discussions about this problem but
> everywhere was the last answer "That's OK, you can ignore it". I want
> the chkrootkit ignore it. Is there any configuration option for this?
See the chkrootkit mailing list archive[i]. This is pretty much a
FAQ. It boils down to the question of whether it's safe or not to
wrap chkrootkit in a script that checks chkrootkit's output against
your predefined list of false positives.
Mail me off-list and I'll send you my version of the script. It's
based heavily on another chkrootkit user's script.
[i] http://marc.theaimsgroup.com/?l=chkrootkit-users&r=1&w=2
--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://www.spots.ab.ca/~keeling Linux Counter #80292
- - http://www.faqs.org/rfcs/rfc1855.html
Spammers! http://www.spots.ab.ca/~keeling/emails.html
Reply to: