On Mon, 2009-10-26 at 17:08 -0700, Victor wrote:
> Hi all,
> I'm trying out OSSEC for the first time and was pleasantly surprised
> by how easy it is to use and set up. However, I've come across a
> problem I'm not sure how to address - I run linux-vserver, and because
> of this, OSSEC sends a lot of these alerts:
>
> Received From: (lab07.lab) 192.168.2.107->rootcheck
> Rule: 510 fired (level 7) -> "Host-based anomaly detection event
> (rootcheck)."
> Portion of the log(s):
>
> Port '33916'(tcp) hidden. Kernel-level rootkit or trojaned version of
> netstat.
>
> I found a previous post, and the answer back then was just to disable
> rootkit detection:
> http://www.mail-archive.com/[email protected]/msg00011.html
>
> Is this still the only way to get around this netstat error in OSSEC?
>
> Thanks,
> Victor
Hello, Victor. If I recall correctly, that error is simply a
consequence of the way VServer guests work (although I'm quite rusty on
the details). We disabled it with a rule which reads:
<!--We will need a rule in /usr/local/ossec/rules/local_rules.xml to
disregard
netstat hidden port alerts on vserver guests as follows. Subsequent
vserver guests will each need a hostname entry: -->
<rule id="100005" level="0">
<if_sid>510</if_sid>
<hostname>name1</hostname>
<hostname>name2</hostname>
<hostname>name3</hostname>
<regex>tcp.*hidden.*netstat</regex>
<description>Stop netstat rootkit alerts
on vserver guests</description>
</rule>
In our case, we decided to do all OSSEC monitoring from the VServer
host. The only service we wanted to activate was rootkit which I
believe also comes in a standalone version. Unfortunately, in our
version of the kernel (needed to deal with a critical iSCSI bug),
rootkit causes kernel panics so we are not using it. Hope this helps -
John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
[email protected]
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
