On Wed, May 7, 2014 at 12:02 PM, funwithossec <[email protected]> wrote: > I appreciate the answer though it shows me how much I suck at asking > questions :-) > > What I really want to ask is this, based on the excellent documentation I > could find we *think* rootcheck is doing this: > > for (pid in every possible value) { > if (kill(pid, 0)) { > /* process with this pid exists */ > char dirname[20]; > snprintf(dirname, sizeof(dirname), "/proc/%d", (int)pid); > DIR *d = opendir(dirname); > if (d) > closedir(d); > else { > OMG, rootkit! > } > } > } > > But I don't know where to look in the code for the actual instruction set, > perhaps you could point me in the right direction? >
Rootcheck maybe? > Also, I *think* that turning off the netstat checking features in rootcheck > I have inadvertently caused it to loose some accuracy/efficacy and thus my > deploy may be more prone to false positives than if I was using as intended, > would you agree or am I way off? > No idea, I don't pay much attention to rootcheck. > Lastly, if you don't hear it enough, thanks for making such an awesome tool > for us to use. > > -Thanks > > > > On Tuesday, April 15, 2014 4:34:05 PM UTC-7, funwithossec wrote: >> >> Friends, >> I am running ossec server version 2.7.1 on CentOS 6.5 and my agents >> are all running version 2.7.1 in a mix of CentOS 4-6 and Debian 4-6 hosts. >> On all the agents and server I have rootkit detection configured as such: >> >> <rootcheck> >> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> >> >> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> >> </rootcheck> >> >> with these options removed: >> >> <localfile> >> <log_format>command</log_format> >> <command>df -h</command> >> </localfile> >> >> <localfile> >> <log_format>full_command</log_format> >> <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command> >> </localfile> >> >> <localfile> >> <log_format>full_command</log_format> >> <command>last -n 5</command> >> </localfile> >> >> I received the following alerts from two of my agents: >> >> 2014 Apr 14 17:09:44 (host001) a.b.c.d->rootcheck >> Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' >> Process '29594' hidden from /proc. Possible kernel level rootkit. >> >> >> 2014 Apr 14 18:51:49 (host002) e.f.g.h->rootcheck >> Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' >> Process '23067' hidden from /proc. Possible kernel level rootkit. >> >> I am scratching my head as to exactly what ossec did to generate these >> alerts...can anyone help explain how this works to me pls? >> >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
