#74 Soctstat processing on FreeBSD

main
closed-accepted
Detection (54)
5
2011-02-15
2011-01-01
Phil
No

Hello,
I'm running rkhunter 1.3.8 on FreeBSD 8.1.

In the sockstat / netstat check (line 12928), the sockstat output filter catches lines such as:
root dovecot 96089 16 stream /var/run/dovecot/auth-worker.96090

In this example, 96090 get listed as an open port, which is not correct.

Something like:
SOCKSTAT_OUTPUT=`${SOCKSTAT_CMD} ${RKHTMPVAR} | awk \'$5 ~ \"(tcp|udp)[46]\" { print $6 }\' |grep...
may prevent this quirk.

Mvg,
Phil

Discussion

  • John Horne

    John Horne - 2011-01-12

    Yes, this is a bug. However the sockstat output (in field 5) can also contain 'tcp4 6' so that will cause field 6 to be reported simply as '6'. Yuck. I'll see what can be done.

     
  • John Horne

    John Horne - 2011-01-12
    • assigned_to: nobody --> jhorne
    • status: open --> pending
     
  • SourceForge Robot

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).

     
  • SourceForge Robot

    • status: pending --> closed
     
  • John Horne

    John Horne - 2011-02-10
    • status: closed --> open
     
  • John Horne

    John Horne - 2011-02-10

    I have created a fix for this based on your suggestion. However, at the moment the sourceforge CVS service is down, so I cannot commit it yet.

     
  • John Horne

    John Horne - 2011-02-10
    • status: open --> open-accepted
     
  • John Horne

    John Horne - 2011-02-10

    The CVS service seems to be up and running again. The changes have been commited so you can download the CVS version if you want to from http://rkhunter.sourceforge.net/rkhunter-CVS.tar.gz

     
  • John Horne

    John Horne - 2011-02-10
    • status: open-accepted --> pending-accepted
     
  • Phil

    Phil - 2011-02-11
    • status: pending-accepted --> open-accepted
     
  • Phil

    Phil - 2011-02-11

    Hi John, this works perfectly ! Thanks a lot for the great job.
    Mvg, Phil

     
  • John Horne

    John Horne - 2011-02-15
    • status: open-accepted --> closed-accepted
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks