On Oct 27, 11:28 am, "John A. Sullivan III" <[email protected]> wrote: > On Mon, 2009-10-26 at 17:08 -0700, Victor wrote: > > Hi all, > > I'm trying out OSSEC for the first time and was pleasantly surprised > > by how easy it is to use and set up. However, I've come across a > > problem I'm not sure how to address - I run linux-vserver, and because > > of this, OSSEC sends a lot of these alerts: > > > Received From: (lab07.lab) 192.168.2.107->rootcheck > > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > > (rootcheck)." > > Portion of the log(s): > > > Port '33916'(tcp) hidden. Kernel-level rootkit or trojaned version of > > netstat. > > > I found a previous post, and the answer back then was just to disable > > rootkit detection: > >http://www.mail-archive.com/[email protected]/msg00011.html > > > Is this still the only way to get around this netstat error in OSSEC? > > > Thanks, > > Victor > > Hello, Victor. If I recall correctly, that error is simply a > consequence of the wayVServerguests work (although I'm quite rusty on > the details). We disabled it with a rule which reads: > > <!--We will need a rule in /usr/local/ossec/rules/local_rules.xml to > disregard > netstat hidden port alerts onvserverguests as follows. Subsequent > vserverguests will each need a hostname entry: --> > <rule id="100005" level="0"> > <if_sid>510</if_sid> > <hostname>name1</hostname> > <hostname>name2</hostname> > <hostname>name3</hostname> > <regex>tcp.*hidden.*netstat</regex> > <description>Stop netstat rootkit alerts > onvserverguests</description> > </rule> > > In our case, we decided to do all OSSEC monitoring from theVServer > host. The only service we wanted to activate was rootkit which I > believe also comes in a standalone version. Unfortunately, in our > version of the kernel (needed to deal with a critical iSCSI bug), > rootkit causes kernel panics so we are not using it. Hope this helps - > John > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > [email protected] > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society
John, Thanks for this. I left off the <hostname> tag hoping that it would match the regex from all hosts, but I still received these types of alerts. I added one hostname to see if that'll help. I'm not sure I understand why this tag is required, though. Can someone explain how these local rules work? Thanks, Victor
