[ossec-list] Re: Maybe a false positive with rule 510

Fri, 04 Mar 2011 06:20:23 -0800 

On 03/03/2011 06:29 PM, carlopmart wrote:

Hi all,

Recentlly my OSSEC server fired some strange alarms like this:

** Alert 1299172717.237104: mail - ossec,rootcheck,
2011 Mar 03 18:18:37 (rhelclunode02) 172.25.50.15->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
Anomaly detected in file '/dev/shm/request_buffer-dAihk0'. Hidden from
stats, but showing up on readdir. Possible kernel level rootkit.

** Alert 1299172717.237456: mail - ossec,rootcheck,
2011 Mar 03 18:18:37 (rhelclunode02) 172.25.50.15->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
Anomaly detected in file '/dev/shm/control_buffer-ru8tPJ'. Hidden from
stats, but showing up on readdir. Possible kernel level rootkit.

rhelclunode02 is a RHEL6 host with corosync, cman, gfs2-tools and
rgmanager utils (RedHat Cluster suite).

using lsof output is:

[root@rhelclunode02 shm]# lsof |grep control_buffer
corosync 1138 root DEL REG 0,15 10428 /dev/shm/control_buffer-9fxbY1
corosync 1138 root DEL REG 0,15 9218 /dev/shm/control_buffer-1mXd0R
corosync 1138 root DEL REG 0,15 9113 /dev/shm/control_buffer-mTF2Ce
corosync 1138 root DEL REG 0,15 9001 /dev/shm/control_buffer-OVi71x
corosync 1138 root DEL REG 0,15 8809 /dev/shm/control_buffer-o1dQ5O
corosync 1138 root DEL REG 0,15 8735 /dev/shm/control_buffer-vBpxIn
corosync 1138 root DEL REG 0,15 8741 /dev/shm/control_buffer-W1rVPz
fenced 1199 root DEL REG 0,15 9113 /dev/shm/control_buffer-mTF2Ce
fenced 1199 root DEL REG 0,15 8809 /dev/shm/control_buffer-o1dQ5O
dlm_contr 1216 root DEL REG 0,15 10428 /dev/shm/control_buffer-9fxbY1
dlm_contr 1216 root DEL REG 0,15 9218 /dev/shm/control_buffer-1mXd0R
dlm_contr 1216 root DEL REG 0,15 8741 /dev/shm/control_buffer-W1rVPz
dlm_contr 1216 root DEL REG 0,15 8735 /dev/shm/control_buffer-vBpxIn
gfs_contr 1270 root DEL REG 0,15 9001 /dev/shm/control_buffer-OVi71x
[root@rhelclunode02 shm]# lsof |grep control_buffer-ru8tPJ
[root@rhelclunode02 shm]# lsof |grep request_buffer-
corosync 1138 root DEL REG 0,15 10429 /dev/shm/request_buffer-zSLv1E
corosync 1138 root DEL REG 0,15 9219 /dev/shm/request_buffer-k633xg
corosync 1138 root DEL REG 0,15 9114 /dev/shm/request_buffer-KjbfSx
corosync 1138 root DEL REG 0,15 9002 /dev/shm/request_buffer-Gmeo3Q
corosync 1138 root DEL REG 0,15 8810 /dev/shm/request_buffer-AieBL7
corosync 1138 root DEL REG 0,15 8736 /dev/shm/request_buffer-JI55eG
corosync 1138 root DEL REG 0,15 8742 /dev/shm/request_buffer-DjNinS
fenced 1199 root DEL REG 0,15 9114 /dev/shm/request_buffer-KjbfSx
fenced 1199 root DEL REG 0,15 8810 /dev/shm/request_buffer-AieBL7
dlm_contr 1216 root DEL REG 0,15 10429 /dev/shm/request_buffer-zSLv1E
dlm_contr 1216 root DEL REG 0,15 9219 /dev/shm/request_buffer-k633xg
dlm_contr 1216 root DEL REG 0,15 8742 /dev/shm/request_buffer-DjNinS
dlm_contr 1216 root DEL REG 0,15 8736 /dev/shm/request_buffer-JI55eG
gfs_contr 1270 root DEL REG 0,15 9002 /dev/shm/request_buffer-Gmeo3Q

Maybe is it a false positive?? can I configure more verbose options for
this alarm??

Thanks.


Please, any input??


--
CL Martinez
carlopmart {at} gmail {d0t} com

Reply via email to