[ossec-list] Re: How to research "Host-based anomaly detection event (rootcheck)."

Tue, 08 Aug 2017 07:51:01 -0700 

I also get these alerts periodically. Running 'ps' afterwards doesn't ever 
find anything... rather frustrating.

Is there another way to figure out what app/code is triggering them? Would 
be great if ossec could capture more about the process when it's 
encountered.

{ "rule": { "level": 7, "comment": "Host-based anomaly detection event 
(rootcheck).", "sidid": 510 }, "location": "(i-0747b50906723111c) 
any->rootcheck", "full_log": "Process '29317' hidden from /proc. Possible 
kernel level rootkit." }

On Tuesday, March 29, 2016 at 6:16:03 AM UTC-4, Jesus Linares wrote:
>
> Hi, 
>
> that alert is related to a *kernel-level check* (anomaly detection 
> checks, not *rootkit_files.txt* or *rootkit_trojans.txt*). You can see 
> more details in the code: src/rootcheck/check_rc_pids.c. Line 256: "Check 
> if the pid is a thread (not showing in /proc".
>
> The code inspects all process IDs (PID), and use the getsid, getpgid, and 
> kill system calls to find all running processes. If the PID is being used, 
> but the ps command cannot see it, a kernel-level rootkit or a Trojan 
> version of ps might be running. It is also compared the output of getsid, 
> getpgid, and kill system calls looking for discrepancies.
>
> So, your process 13380 is not in /proc. Try to find it using ps -e | grep 
> 892
>
> Regards,
> Jesus Linares.
>
>
>
> On Thursday, March 24, 2016 at 2:15:00 PM UTC+1, Johnny InfoSec wrote:
>>
>> Greetings :-)
>>
>> Just got this alert, and was wondering if you could provide some specific 
>> guidance on how to investigate (step 1, 2, etc.).
>>
>> New to OSSEC.
>>
>> OSSEC HIDS Notification.
>>
>> 2016 Mar 24 7:49:39
>>
>>  
>>
>> Received From: log->rootcheck
>>
>> Rule: 510 fired (level 7) -> "Host-based anomaly detection event 
>> (rootcheck)."
>>
>> Portion of the log(s):
>>
>>  
>>
>> Process '13380' hidden from /proc. Possible kernel level rootkit.
>>
>>  
>>
>>  
>>
>>  
>>
>>  --END OF NOTIFICATION
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to