Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
grep update to grep-2.27-r1 trigger ossec alert
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Caiman
n00b
n00b


Joined: 01 Jul 2007
Posts: 64

PostPosted: Sat Feb 11, 2017 4:14 pm    Post subject: grep update to grep-2.27-r1 trigger ossec alert Reply with quote

yesterday's update for grep:
ebuild U ] sys-apps/grep-2.27-r1::gentoo [2.25::gentoo] USE="pcre -nls -static" 1329 KiB

today's alert from ossec :
OSSEC HIDS Notification.
2017 Feb 10 23:17:05

Received From: s3020n->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/bin/grep' detected. Signature used: 'bash|givemer|/dev/' (Generic).



--END OF NOTIFICATION

:?
Back to top
View user's profile Send private message
sergeev917
n00b
n00b


Joined: 04 Apr 2014
Posts: 10

PostPosted: Sat Feb 11, 2017 7:35 pm    Post subject: Reply with quote

> Trojaned version of file '/bin/grep' detected. Signature used: 'bash|givemer|/dev/' (Generic).

Given that I understand correctly what the signature is, it looks like just a regular expression being matched against the grep binary. Correct me if I'm wrong on this.
Looking at the source of grep (2.27):

Code:

2761   bool possibly_tty = false;                                                                         
2762   struct stat tmp_stat;                                                                             
2763   if (! exit_on_match && fstat (STDOUT_FILENO, &tmp_stat) == 0)                                     
2764     {                                                                                               
2765       if (S_ISREG (tmp_stat.st_mode))                                                               
2766         out_stat = tmp_stat;                                                                         
2767       else if (S_ISCHR (tmp_stat.st_mode))                                                           
2768         {                                                                                           
2769           struct stat null_stat;                                                                     
2770           if (stat ("/dev/null", &null_stat) == 0                                                   
2771               && SAME_INODE (tmp_stat, null_stat))                                                   
2772             dev_null_output = true;                                                                 
2773           else                                                                                       
2774             possibly_tty = true;                                                                     
2775         }                                                                                           
2776     }


So grep just checks whether the output is in fact the /dev/null character device (most likely for future optimization). So, it does look like a false positive to me.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum