grep false positive

[Leroy Tennison]

Received the following message: Trojaned version of file '/bin/grep' detected. Signature used: 'bash|givemer|/dev/' (Generic)." on 18.04.3 LTS.  Downloaded the deb from Ubuntu standard repositories, extracted grep (in /tmp) and compared sha512sums for it and /bin/grep - identical.  I received another message about a trojaned file for s-nail (also on Ubuntu 16.04) recently and, in that case, simply de-installed the package since it wasn't needed.  Now I'm wondering if these are false positives.  Appears the agent is 3.1.0, server is 2.9.1.  Any suggestions or further steps i can take?

[dan (ddp)]

On Thu, Jan 23, 2020 at 6:46 PM Leroy Tennison <leroy.t...@gmail.com> wrote:
>
> Received the following message: Trojaned version of file '/bin/grep' detected. Signature used: 'bash|givemer|/dev/' (Generic)." on 18.04.3 LTS. Downloaded the deb from Ubuntu standard repositories, extracted grep (in /tmp) and compared sha512sums for it and /bin/grep - identical. I received another message about a trojaned file for s-nail (also on Ubuntu 16.04) recently and, in that case, simply de-installed the package since it wasn't needed. Now I'm wondering if these are false positives. Appears the agent is 3.1.0, server is 2.9.1. Any suggestions or further steps i can take?
>

Pretty sure '/dev/' was removed from the signature because of this
false positive.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/77699c5a-21ea-43ea-83f3-4588ed3794b8%40googlegroups.com.

[Leroy Tennison]

Thanks for the reply, sounds like I need to upgrade the server to the latest version.