[ossec-list] Re: How to research "Host-based anomaly detection event (rootcheck)."

Fri, 01 Sep 2017 07:56:20 -0700 

Opened issue to discuss enhancements with dev 
team: https://github.com/ossec/ossec-hids/issues/1242

On Tuesday, August 8, 2017 at 10:50:24 AM UTC-4, Clinton Parham wrote:
>
> I also get these alerts periodically. Running 'ps' afterwards doesn't ever 
> find anything... rather frustrating.
>
> Is there another way to figure out what app/code is triggering them? Would 
> be great if ossec could capture more about the process when it's 
> encountered.
>
> { "rule": { "level": 7, "comment": "Host-based anomaly detection event 
> (rootcheck).", "sidid": 510 }, "location": "(i-0747b50906723111c) 
> any->rootcheck", "full_log": "Process '29317' hidden from /proc. Possible 
> kernel level rootkit." }
>
> On Tuesday, March 29, 2016 at 6:16:03 AM UTC-4, Jesus Linares wrote:
>>
>> Hi, 
>>
>> that alert is related to a *kernel-level check* (anomaly detection 
>> checks, not *rootkit_files.txt* or *rootkit_trojans.txt*). You can see 
>> more details in the code: src/rootcheck/check_rc_pids.c. Line 256: "Check 
>> if the pid is a thread (not showing in /proc".
>>
>> The code inspects all process IDs (PID), and use the getsid, getpgid, and 
>> kill system calls to find all running processes. If the PID is being used, 
>> but the ps command cannot see it, a kernel-level rootkit or a Trojan 
>> version of ps might be running. It is also compared the output of getsid, 
>> getpgid, and kill system calls looking for discrepancies.
>>
>> So, your process 13380 is not in /proc. Try to find it using ps -e | 
>> grep 892
>>
>> Regards,
>> Jesus Linares.
>>
>>
>>
>> On Thursday, March 24, 2016 at 2:15:00 PM UTC+1, Johnny InfoSec wrote:
>>>
>>> Greetings :-)
>>>
>>> Just got this alert, and was wondering if you could provide some 
>>> specific guidance on how to investigate (step 1, 2, etc.).
>>>
>>> New to OSSEC.
>>>
>>> OSSEC HIDS Notification.
>>>
>>> 2016 Mar 24 7:49:39
>>>
>>>  
>>>
>>> Received From: log->rootcheck
>>>
>>> Rule: 510 fired (level 7) -> "Host-based anomaly detection event 
>>> (rootcheck)."
>>>
>>> Portion of the log(s):
>>>
>>>  
>>>
>>> Process '13380' hidden from /proc. Possible kernel level rootkit.
>>>
>>>  
>>>
>>>  
>>>
>>>  
>>>
>>>  --END OF NOTIFICATION
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to