[ossec-list] Re: How to research "Host-based anomaly detection event (rootcheck)."
Opened issue to discuss enhancements with dev team: https://github.com/ossec/ossec-hids/issues/1242 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: How to research "Host-based anomaly detection event (rootcheck)."
Opened issue to discuss enhancements with dev team: https://github.com/ossec/ossec-hids/issues/1242 On Tuesday, August 8, 2017 at 10:50:24 AM UTC-4, Clinton Parham wrote: > > I also get these alerts periodically. Running 'ps' afterwards doesn't ever > find anything... rather frustrating. > > Is there another way to figure out what app/code is triggering them? Would > be great if ossec could capture more about the process when it's > encountered. > > { "rule": { "level": 7, "comment": "Host-based anomaly detection event > (rootcheck).", "sidid": 510 }, "location": "(i-0747b50906723111c) > any->rootcheck", "full_log": "Process '29317' hidden from /proc. Possible > kernel level rootkit." } > > On Tuesday, March 29, 2016 at 6:16:03 AM UTC-4, Jesus Linares wrote: >> >> Hi, >> >> that alert is related to a *kernel-level check* (anomaly detection >> checks, not *rootkit_files.txt* or *rootkit_trojans.txt*). You can see >> more details in the code: src/rootcheck/check_rc_pids.c. Line 256: "Check >> if the pid is a thread (not showing in /proc". >> >> The code inspects all process IDs (PID), and use the getsid, getpgid, and >> kill system calls to find all running processes. If the PID is being used, >> but the ps command cannot see it, a kernel-level rootkit or a Trojan >> version of ps might be running. It is also compared the output of getsid, >> getpgid, and kill system calls looking for discrepancies. >> >> So, your process 13380 is not in /proc. Try to find it using ps -e | >> grep 892 >> >> Regards, >> Jesus Linares. >> >> >> >> On Thursday, March 24, 2016 at 2:15:00 PM UTC+1, Johnny InfoSec wrote: >>> >>> Greetings :-) >>> >>> Just got this alert, and was wondering if you could provide some >>> specific guidance on how to investigate (step 1, 2, etc.). >>> >>> New to OSSEC. >>> >>> OSSEC HIDS Notification. >>> >>> 2016 Mar 24 7:49:39 >>> >>> >>> >>> Received From: log->rootcheck >>> >>> Rule: 510 fired (level 7) -> "Host-based anomaly detection event >>> (rootcheck)." >>> >>> Portion of the log(s): >>> >>> >>> >>> Process '13380' hidden from /proc. Possible kernel level rootkit. >>> >>> >>> >>> >>> >>> >>> >>> --END OF NOTIFICATION >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: How to research "Host-based anomaly detection event (rootcheck)."
I also get these alerts periodically. Running 'ps' afterwards doesn't ever find anything... rather frustrating. Is there another way to figure out what app/code is triggering them? Would be great if ossec could capture more about the process when it's encountered. { "rule": { "level": 7, "comment": "Host-based anomaly detection event (rootcheck).", "sidid": 510 }, "location": "(i-0747b50906723111c) any->rootcheck", "full_log": "Process '29317' hidden from /proc. Possible kernel level rootkit." } On Tuesday, March 29, 2016 at 6:16:03 AM UTC-4, Jesus Linares wrote: > > Hi, > > that alert is related to a *kernel-level check* (anomaly detection > checks, not *rootkit_files.txt* or *rootkit_trojans.txt*). You can see > more details in the code: src/rootcheck/check_rc_pids.c. Line 256: "Check > if the pid is a thread (not showing in /proc". > > The code inspects all process IDs (PID), and use the getsid, getpgid, and > kill system calls to find all running processes. If the PID is being used, > but the ps command cannot see it, a kernel-level rootkit or a Trojan > version of ps might be running. It is also compared the output of getsid, > getpgid, and kill system calls looking for discrepancies. > > So, your process 13380 is not in /proc. Try to find it using ps -e | grep > 892 > > Regards, > Jesus Linares. > > > > On Thursday, March 24, 2016 at 2:15:00 PM UTC+1, Johnny InfoSec wrote: >> >> Greetings :-) >> >> Just got this alert, and was wondering if you could provide some specific >> guidance on how to investigate (step 1, 2, etc.). >> >> New to OSSEC. >> >> OSSEC HIDS Notification. >> >> 2016 Mar 24 7:49:39 >> >> >> >> Received From: log->rootcheck >> >> Rule: 510 fired (level 7) -> "Host-based anomaly detection event >> (rootcheck)." >> >> Portion of the log(s): >> >> >> >> Process '13380' hidden from /proc. Possible kernel level rootkit. >> >> >> >> >> >> >> >> --END OF NOTIFICATION >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: How to research "Host-based anomaly detection event (rootcheck)."
Hi, that alert is related to a *kernel-level check* (anomaly detection checks, not *rootkit_files.txt* or *rootkit_trojans.txt*). You can see more details in the code: src/rootcheck/check_rc_pids.c. Line 256: "Check if the pid is a thread (not showing in /proc". The code inspects all process IDs (PID), and use the getsid, getpgid, and kill system calls to find all running processes. If the PID is being used, but the ps command cannot see it, a kernel-level rootkit or a Trojan version of ps might be running. It is also compared the output of getsid, getpgid, and kill system calls looking for discrepancies. So, your process 13380 is not in /proc. Try to find it using ps -e | grep 892 Regards, Jesus Linares. On Thursday, March 24, 2016 at 2:15:00 PM UTC+1, Johnny InfoSec wrote: > > Greetings :-) > > Just got this alert, and was wondering if you could provide some specific > guidance on how to investigate (step 1, 2, etc.). > > New to OSSEC. > > OSSEC HIDS Notification. > > 2016 Mar 24 7:49:39 > > > > Received From: log->rootcheck > > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > (rootcheck)." > > Portion of the log(s): > > > > Process '13380' hidden from /proc. Possible kernel level rootkit. > > > > > > > > --END OF NOTIFICATION > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.