Difference between revisions of "HIDS 61028"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "{{Infobox |header1= Rule 61028 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = Denied an untrusted non system library binary from hooking an application }} ...")
 
m
 
Line 21: Line 21:
 
== False Positives ==
 
== False Positives ==
  
Please report this to support if you know this is not an attack.
+
Please do not report events for abrt, if this involves a different application, please report this to support if you know this is not an attack.
  
 
= Additional Information =
 
= Additional Information =

Latest revision as of 10:52, 16 October 2014

Rule 61028
Status Active
Alert Message Denied an untrusted non system library binary from hooking an application

Contents

[edit] Description

This rule is triggered when a userland application tries to hook a system library or application, but is not itself a system library or application.

You should investigate this event as it may be part of a broader attack. Some debugging application, such as abrtd, are known to do this.

[edit] Log examples

May 5 09:24:02 host kernel: grsec: denied exec of usermode helper binary /usr/libexec/abrt-hook-ccpp located outside of /sbin and system library paths

[edit] Troubleshooting

[edit] False Positives

Please do not report events for abrt, if this involves a different application, please report this to support if you know this is not an attack.

[edit] Additional Information

[edit] Similar Rules

None.

[edit] Knowledge Base Articles

None.

Personal tools