I appreciate the answer though it shows me how much I suck at asking
questions :-)
What I really want to ask is this, based on the excellent documentation I
could find we *think* rootcheck is doing this:
for (pid in every possible value) {
if (kill(pid, 0)) {
/* process with this pid exists */
char dirname[20];
snprintf(dirname, sizeof(dirname), "/proc/%d", (int)pid);
DIR *d = opendir(dirname);
if (d)
closedir(d);
else {
OMG, rootkit!
}
}
}
But I don't know where to look in the code for the actual instruction set,
perhaps you could point me in the right direction?
Also, I *think* that turning off the netstat checking features in rootcheck
I have inadvertently caused it to loose some accuracy/efficacy and thus my
deploy may be more prone to false positives than if I was using as
intended, would you agree or am I way off?
Lastly, if you don't hear it enough, thanks for making such an awesome tool
for us to use.
-Thanks
On Tuesday, April 15, 2014 4:34:05 PM UTC-7, funwithossec wrote:
>
> Friends,
> I am running ossec server version 2.7.1 on CentOS 6.5 and my agents
> are all running version 2.7.1 in a mix of CentOS 4-6 and Debian 4-6
> hosts. On all the agents and server I have rootkit detection configured as
> such:
>
> <rootcheck>
> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
>
> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
> </rootcheck>
>
> with these options removed:
>
> <localfile>
> <log_format>command</log_format>
> <command>df -h</command>
> </localfile>
>
> <localfile>
> <log_format>full_command</log_format>
> <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
> </localfile>
>
> <localfile>
> <log_format>full_command</log_format>
> <command>last -n 5</command>
> </localfile>
>
> I received the following alerts from two of my agents:
>
> 2014 Apr 14 17:09:44 (host001) a.b.c.d->rootcheck
> Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
> Process '29594' hidden from /proc. Possible kernel level rootkit.
>
>
> 2014 Apr 14 18:51:49 (host002) e.f.g.h->rootcheck
> Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
> Process '23067' hidden from /proc. Possible kernel level rootkit.
>
> I am scratching my head as to exactly what ossec did to generate these
> alerts...can anyone help explain how this works to me pls?
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
