Friends,
I am running ossec server version 2.7.1 on CentOS 6.5 and my agents
are all running version 2.7.1 in a mix of CentOS 4-6 and Debian 4-6
hosts. On all the agents and server I have rootkit detection configured as
such:
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>
with these options removed:
<localfile>
<log_format>command</log_format>
<command>df -h</command>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 5</command>
</localfile>
I received the following alerts from two of my agents:
2014 Apr 14 17:09:44 (host001) a.b.c.d->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Process '29594' hidden from /proc. Possible kernel level rootkit.
2014 Apr 14 18:51:49 (host002) e.f.g.h->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Process '23067' hidden from /proc. Possible kernel level rootkit.
I am scratching my head as to exactly what ossec did to generate these
alerts...can anyone help explain how this works to me pls?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
