On Tue, Apr 15, 2014 at 7:34 PM, holt archer <[email protected]> wrote: > Friends, > I am running ossec server version 2.7.1 on CentOS 6.5 and my agents are > all running version 2.7.1 in a mix of CentOS 4-6 and Debian 4-6 hosts. On > all the agents and server I have rootkit detection configured as such: > > <rootcheck> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> > </rootcheck> > > with these options removed: > > <localfile> > <log_format>command</log_format> > <command>df -h</command> > </localfile> > > <localfile> > <log_format>full_command</log_format> > <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command> > </localfile> > > <localfile> > <log_format>full_command</log_format> > <command>last -n 5</command> > </localfile> > > I received the following alerts from two of my agents: > > 2014 Apr 14 17:09:44 (host001) a.b.c.d->rootcheck > Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' > Process '29594' hidden from /proc. Possible kernel level rootkit. > > > 2014 Apr 14 18:51:49 (host002) e.f.g.h->rootcheck > Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' > Process '23067' hidden from /proc. Possible kernel level rootkit. > > I am scratching my head as to exactly what ossec did to generate these > alerts...can anyone help explain how this works to me pls? >
One of the processes checks for these things, and reports them when they're found. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
