I also get these alerts periodically. Running 'ps' afterwards doesn't ever find anything... rather frustrating.
Is there another way to figure out what app/code is triggering them? Would be great if ossec could capture more about the process when it's encountered. { "rule": { "level": 7, "comment": "Host-based anomaly detection event (rootcheck).", "sidid": 510 }, "location": "(i-0747b50906723111c) any->rootcheck", "full_log": "Process '29317' hidden from /proc. Possible kernel level rootkit." } On Tuesday, March 29, 2016 at 6:16:03 AM UTC-4, Jesus Linares wrote: > > Hi, > > that alert is related to a *kernel-level check* (anomaly detection > checks, not *rootkit_files.txt* or *rootkit_trojans.txt*). You can see > more details in the code: src/rootcheck/check_rc_pids.c. Line 256: "Check > if the pid is a thread (not showing in /proc". > > The code inspects all process IDs (PID), and use the getsid, getpgid, and > kill system calls to find all running processes. If the PID is being used, > but the ps command cannot see it, a kernel-level rootkit or a Trojan > version of ps might be running. It is also compared the output of getsid, > getpgid, and kill system calls looking for discrepancies. > > So, your process 13380 is not in /proc. Try to find it using ps -e | grep > 892 > > Regards, > Jesus Linares. > > > > On Thursday, March 24, 2016 at 2:15:00 PM UTC+1, Johnny InfoSec wrote: >> >> Greetings :-) >> >> Just got this alert, and was wondering if you could provide some specific >> guidance on how to investigate (step 1, 2, etc.). >> >> New to OSSEC. >> >> OSSEC HIDS Notification. >> >> 2016 Mar 24 7:49:39 >> >> >> >> Received From: log->rootcheck >> >> Rule: 510 fired (level 7) -> "Host-based anomaly detection event >> (rootcheck)." >> >> Portion of the log(s): >> >> >> >> Process '13380' hidden from /proc. Possible kernel level rootkit. >> >> >> >> >> >> >> >> --END OF NOTIFICATION >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.