Difference between revisions of "HIDS 61028"
From Atomicorp Wiki
(Created page with "{{Infobox |header1= Rule 61028 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = Denied an untrusted non system library binary from hooking an application }} ...") |
m |
||
| Line 21: | Line 21: | ||
== False Positives == | == False Positives == | ||
| − | Please report this to support if you know this is not an attack. | + | Please do not report events for abrt, if this involves a different application, please report this to support if you know this is not an attack. |
= Additional Information = | = Additional Information = | ||
Latest revision as of 10:52, 16 October 2014
| Rule 61028 | |
|---|---|
| Status | Active |
| Alert Message | Denied an untrusted non system library binary from hooking an application |
Contents |
[edit] Description
This rule is triggered when a userland application tries to hook a system library or application, but is not itself a system library or application.
You should investigate this event as it may be part of a broader attack. Some debugging application, such as abrtd, are known to do this.
[edit] Log examples
May 5 09:24:02 host kernel: grsec: denied exec of usermode helper binary /usr/libexec/abrt-hook-ccpp located outside of /sbin and system library paths
[edit] Troubleshooting
[edit] False Positives
Please do not report events for abrt, if this involves a different application, please report this to support if you know this is not an attack.
[edit] Additional Information
[edit] Similar Rules
None.
[edit] Knowledge Base Articles
None.
