Ok, that makes sense. I was still getting the alerts with John's rule, but your suggestion seems promising.
Did you mean to leave out the regex in your example rule? Is it because sid 510 is always the tcp..hidden..netstat rule and the regex is redundant and unnecessary? Also, your suggested regex didn't allow OSSEC to start, but I think you probably meant to include a period: <regex>tcp\.+hidden\.+netstat</regex> Thanks! Victor On Nov 6, 10:18 am, Daniel Cid <[email protected]> wrote: > Hi Victor, > > That rule worked to John by luck :) Maybe because rootcheck only alert > once (per port per host) on > that issue, but it is probably still happening if they look at the > rootcheck-control tool. > > First, to match on multiple hostnames you need to use a pipe "|" to > separate them: > > <hostname>name1|name2|name3</hostname> > > The OSSEC regex also expects a backslash before them, like: > > <regex>tcp\+hidden\+netstat</regex> > > I would change the rule to: > > <rule id="100005" level="0"> > <if_sid>510</if_sid> > <hostname>name1|name2|name3</hostname> > <match>trojaned version of netstat</match> > <description>Stop netstat rootkit alerts onvserverguests</description> > </rule> > > *but you can remove the <hostname> tag if you want for all your systems. > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > > On Thu, Nov 5, 2009 at 6:18 PM, Victor <[email protected]> wrote: > > > On Oct 27, 11:28 am, "John A. Sullivan III" > > <[email protected]> wrote: > >> On Mon, 2009-10-26 at 17:08 -0700, Victor wrote: > >> > Hi all, > >> > I'm trying out OSSEC for the first time and was pleasantly surprised > >> > by how easy it is to use and set up. However, I've come across a > >> > problem I'm not sure how to address - I run linux-vserver, and because > >> > of this, OSSEC sends a lot of these alerts: > > >> > Received From: (lab07.lab) 192.168.2.107->rootcheck > >> > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > >> > (rootcheck)." > >> > Portion of the log(s): > > >> > Port '33916'(tcp) hidden. Kernel-level rootkit or trojaned version of > >> > netstat. > > >> > I found a previous post, and the answer back then was just to disable > >> > rootkit detection: > >> >http://www.mail-archive.com/[email protected]/msg00011.html > > >> > Is this still the only way to get around this netstat error in OSSEC? > > >> > Thanks, > >> > Victor > > >> Hello, Victor. If I recall correctly, that error is simply a > >> consequence of the wayVServerguests work (although I'm quite rusty on > >> the details). We disabled it with a rule which reads: > > >> <!--We will need a rule in /usr/local/ossec/rules/local_rules.xml to > >> disregard > >> netstat hidden port alerts onvserverguests as follows. Subsequent > >> vserverguests will each need a hostname entry: --> > >> <rule id="100005" level="0"> > >> <if_sid>510</if_sid> > >> <hostname>name1</hostname> > >> <hostname>name2</hostname> > >> <hostname>name3</hostname> > >> <regex>tcp.*hidden.*netstat</regex> > >> <description>Stop netstat rootkit alerts > >> onvserverguests</description> > >> </rule> > > >> In our case, we decided to do all OSSEC monitoring from theVServer > >> host. The only service we wanted to activate was rootkit which I > >> believe also comes in a standalone version. Unfortunately, in our > >> version of the kernel (needed to deal with a critical iSCSI bug), > >> rootkit causes kernel panics so we are not using it. Hope this helps - > >> John > >> -- > >> John A. Sullivan III > >> Open Source Development Corporation > >> +1 207-985-7880 > >> [email protected] > > >>http://www.spiritualoutreach.com > >> Making Christianity intelligible to secular society > > > John, > > Thanks for this. I left off the <hostname> tag hoping that it would > > match the regex from all hosts, but I still received these types of > > alerts. I added one hostname to see if that'll help. > > > I'm not sure I understand why this tag is required, though. Can > > someone explain how these local rules work? > > > Thanks, > > Victor
