Re: ignore chkrootkit false positive

To: debian-user@lists.debian.org
Subject: Re: ignore chkrootkit false positive
From: "s. keeling" <keeling@spots.ab.ca>
Date: Sun, 20 Aug 2006 00:59:51 GMT
Message-id: <[🔎] slrneefd07.ksa.keeling@heretic.spots.ab.ca>
Reply-to: keeling@spots.ab.ca
References: <[🔎] 1155747606.24179.4.camel@localhost>

David Siroky <ml@dasir.net>:
> 
>  My chkrootkit is reporting "INFECTED PORT 465" where is my regular ssmtp
>  Postfix daemon. I found a lots of discussions about this problem but
>  everywhere was the last answer "That's OK, you can ignore it". I want
>  the chkrootkit ignore it. Is there any configuration option for this?

See the chkrootkit mailing list archive[i].  This is pretty much a
FAQ.  It boils down to the question of whether it's safe or not to
wrap chkrootkit in a script that checks chkrootkit's output against
your predefined list of false positives.

Mail me off-list and I'll send you my version of the script.  It's
based heavily on another chkrootkit user's script.


[i] http://marc.theaimsgroup.com/?l=chkrootkit-users&r=1&w=2


-- 
Any technology distinguishable from magic is insufficiently advanced.
(*)    http://www.spots.ab.ca/~keeling           Linux Counter #80292
- -    http://www.faqs.org/rfcs/rfc1855.html
       Spammers! http://www.spots.ab.ca/~keeling/emails.html

Reply to:

References:
- ignore chkrootkit false positive
  - From: David Siroky <ml@dasir.net>

Prev by Date: Re: macromedia new windows version problem
Next by Date: Re: Is the xserver-xorg configuration system broken?
Previous by thread: Re: ignore chkrootkit false positive
Next by thread: mini-DV with sd-card
Index(es):
- Date
- Thread