HIDS 61028

From Atomicorp Wiki
Revision as of 10:52, 16 October 2014 by Mshinn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Rule 61028
Status Active
Alert Message Denied an untrusted non system library binary from hooking an application

Contents

[edit] Description

This rule is triggered when a userland application tries to hook a system library or application, but is not itself a system library or application.

You should investigate this event as it may be part of a broader attack. Some debugging application, such as abrtd, are known to do this.

[edit] Log examples

May 5 09:24:02 host kernel: grsec: denied exec of usermode helper binary /usr/libexec/abrt-hook-ccpp located outside of /sbin and system library paths

[edit] Troubleshooting

[edit] False Positives

Please do not report events for abrt, if this involves a different application, please report this to support if you know this is not an attack.

[edit] Additional Information

[edit] Similar Rules

None.

[edit] Knowledge Base Articles

None.

Retrieved from "https://wiki.atomicorp.com/wiki/index.php?title=HIDS_61028&oldid=5224"
Personal tools