Re: [ossec-list] Re: Maybe a false positive with rule 510

Fri, 04 Mar 2011 08:03:00 -0800 

been looking through the signatures but can't directly find which one
triggered this.  I might look into this further tonight.


On Fri, Mar 4, 2011 at 1:47 PM, carlopmart <[email protected]> wrote:
> On 03/03/2011 06:29 PM, carlopmart wrote:
>>
>> Hi all,
>>
>> Recentlly my OSSEC server fired some strange alarms like this:
>>
>> ** Alert 1299172717.237104: mail - ossec,rootcheck,
>> 2011 Mar 03 18:18:37 (rhelclunode02) 172.25.50.15->rootcheck
>> Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
>> Src IP: (none)
>> User: (none)
>> Anomaly detected in file '/dev/shm/request_buffer-dAihk0'. Hidden from
>> stats, but showing up on readdir. Possible kernel level rootkit.
>>
>> ** Alert 1299172717.237456: mail - ossec,rootcheck,
>> 2011 Mar 03 18:18:37 (rhelclunode02) 172.25.50.15->rootcheck
>> Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
>> Src IP: (none)
>> User: (none)
>> Anomaly detected in file '/dev/shm/control_buffer-ru8tPJ'. Hidden from
>> stats, but showing up on readdir. Possible kernel level rootkit.
>>
>> rhelclunode02 is a RHEL6 host with corosync, cman, gfs2-tools and
>> rgmanager utils (RedHat Cluster suite).
>>
>> using lsof output is:
>>
>> [root@rhelclunode02 shm]# lsof |grep control_buffer
>> corosync 1138 root DEL REG 0,15 10428 /dev/shm/control_buffer-9fxbY1
>> corosync 1138 root DEL REG 0,15 9218 /dev/shm/control_buffer-1mXd0R
>> corosync 1138 root DEL REG 0,15 9113 /dev/shm/control_buffer-mTF2Ce
>> corosync 1138 root DEL REG 0,15 9001 /dev/shm/control_buffer-OVi71x
>> corosync 1138 root DEL REG 0,15 8809 /dev/shm/control_buffer-o1dQ5O
>> corosync 1138 root DEL REG 0,15 8735 /dev/shm/control_buffer-vBpxIn
>> corosync 1138 root DEL REG 0,15 8741 /dev/shm/control_buffer-W1rVPz
>> fenced 1199 root DEL REG 0,15 9113 /dev/shm/control_buffer-mTF2Ce
>> fenced 1199 root DEL REG 0,15 8809 /dev/shm/control_buffer-o1dQ5O
>> dlm_contr 1216 root DEL REG 0,15 10428 /dev/shm/control_buffer-9fxbY1
>> dlm_contr 1216 root DEL REG 0,15 9218 /dev/shm/control_buffer-1mXd0R
>> dlm_contr 1216 root DEL REG 0,15 8741 /dev/shm/control_buffer-W1rVPz
>> dlm_contr 1216 root DEL REG 0,15 8735 /dev/shm/control_buffer-vBpxIn
>> gfs_contr 1270 root DEL REG 0,15 9001 /dev/shm/control_buffer-OVi71x
>> [root@rhelclunode02 shm]# lsof |grep control_buffer-ru8tPJ
>> [root@rhelclunode02 shm]# lsof |grep request_buffer-
>> corosync 1138 root DEL REG 0,15 10429 /dev/shm/request_buffer-zSLv1E
>> corosync 1138 root DEL REG 0,15 9219 /dev/shm/request_buffer-k633xg
>> corosync 1138 root DEL REG 0,15 9114 /dev/shm/request_buffer-KjbfSx
>> corosync 1138 root DEL REG 0,15 9002 /dev/shm/request_buffer-Gmeo3Q
>> corosync 1138 root DEL REG 0,15 8810 /dev/shm/request_buffer-AieBL7
>> corosync 1138 root DEL REG 0,15 8736 /dev/shm/request_buffer-JI55eG
>> corosync 1138 root DEL REG 0,15 8742 /dev/shm/request_buffer-DjNinS
>> fenced 1199 root DEL REG 0,15 9114 /dev/shm/request_buffer-KjbfSx
>> fenced 1199 root DEL REG 0,15 8810 /dev/shm/request_buffer-AieBL7
>> dlm_contr 1216 root DEL REG 0,15 10429 /dev/shm/request_buffer-zSLv1E
>> dlm_contr 1216 root DEL REG 0,15 9219 /dev/shm/request_buffer-k633xg
>> dlm_contr 1216 root DEL REG 0,15 8742 /dev/shm/request_buffer-DjNinS
>> dlm_contr 1216 root DEL REG 0,15 8736 /dev/shm/request_buffer-JI55eG
>> gfs_contr 1270 root DEL REG 0,15 9002 /dev/shm/request_buffer-Gmeo3Q
>>
>> Maybe is it a false positive?? can I configure more verbose options for
>> this alarm??
>>
>> Thanks.
>
> Please, any input??
>
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
>



-- 
Wim Remes
Security Afficionado

Reply via email to