Allrighty then, makes it an easy decision to turn it off.
On Thu, May 8, 2014 at 6:09 AM, dan (ddp) <[email protected]> wrote: > On Wed, May 7, 2014 at 12:02 PM, funwithossec <[email protected]> > wrote: > > I appreciate the answer though it shows me how much I suck at asking > > questions :-) > > > > What I really want to ask is this, based on the excellent documentation I > > could find we *think* rootcheck is doing this: > > > > for (pid in every possible value) { > > if (kill(pid, 0)) { > > /* process with this pid exists */ > > char dirname[20]; > > snprintf(dirname, sizeof(dirname), "/proc/%d", (int)pid); > > DIR *d = opendir(dirname); > > if (d) > > closedir(d); > > else { > > OMG, rootkit! > > } > > } > > } > > > > But I don't know where to look in the code for the actual instruction > set, > > perhaps you could point me in the right direction? > > > > Rootcheck maybe? > > > Also, I *think* that turning off the netstat checking features in > rootcheck > > I have inadvertently caused it to loose some accuracy/efficacy and thus > my > > deploy may be more prone to false positives than if I was using as > intended, > > would you agree or am I way off? > > > > No idea, I don't pay much attention to rootcheck. > > > Lastly, if you don't hear it enough, thanks for making such an awesome > tool > > for us to use. > > > > -Thanks > > > > > > > > On Tuesday, April 15, 2014 4:34:05 PM UTC-7, funwithossec wrote: > >> > >> Friends, > >> I am running ossec server version 2.7.1 on CentOS 6.5 and my agents > >> are all running version 2.7.1 in a mix of CentOS 4-6 and Debian 4-6 > hosts. > >> On all the agents and server I have rootkit detection configured as > such: > >> > >> <rootcheck> > >> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > >> > >> > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> > >> </rootcheck> > >> > >> with these options removed: > >> > >> <localfile> > >> <log_format>command</log_format> > >> <command>df -h</command> > >> </localfile> > >> > >> <localfile> > >> <log_format>full_command</log_format> > >> <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | > sort</command> > >> </localfile> > >> > >> <localfile> > >> <log_format>full_command</log_format> > >> <command>last -n 5</command> > >> </localfile> > >> > >> I received the following alerts from two of my agents: > >> > >> 2014 Apr 14 17:09:44 (host001) a.b.c.d->rootcheck > >> Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' > >> Process '29594' hidden from /proc. Possible kernel level rootkit. > >> > >> > >> 2014 Apr 14 18:51:49 (host002) e.f.g.h->rootcheck > >> Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' > >> Process '23067' hidden from /proc. Possible kernel level rootkit. > >> > >> I am scratching my head as to exactly what ossec did to generate these > >> alerts...can anyone help explain how this works to me pls? > >> > >> > >> > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
