Opened issue to discuss enhancements with dev team: https://github.com/ossec/ossec-hids/issues/1242
On Tuesday, August 8, 2017 at 10:50:24 AM UTC-4, Clinton Parham wrote: > > I also get these alerts periodically. Running 'ps' afterwards doesn't ever > find anything... rather frustrating. > > Is there another way to figure out what app/code is triggering them? Would > be great if ossec could capture more about the process when it's > encountered. > > { "rule": { "level": 7, "comment": "Host-based anomaly detection event > (rootcheck).", "sidid": 510 }, "location": "(i-0747b50906723111c) > any->rootcheck", "full_log": "Process '29317' hidden from /proc. Possible > kernel level rootkit." } > > On Tuesday, March 29, 2016 at 6:16:03 AM UTC-4, Jesus Linares wrote: >> >> Hi, >> >> that alert is related to a *kernel-level check* (anomaly detection >> checks, not *rootkit_files.txt* or *rootkit_trojans.txt*). You can see >> more details in the code: src/rootcheck/check_rc_pids.c. Line 256: "Check >> if the pid is a thread (not showing in /proc". >> >> The code inspects all process IDs (PID), and use the getsid, getpgid, and >> kill system calls to find all running processes. If the PID is being used, >> but the ps command cannot see it, a kernel-level rootkit or a Trojan >> version of ps might be running. It is also compared the output of getsid, >> getpgid, and kill system calls looking for discrepancies. >> >> So, your process 13380 is not in /proc. Try to find it using ps -e | >> grep 892 >> >> Regards, >> Jesus Linares. >> >> >> >> On Thursday, March 24, 2016 at 2:15:00 PM UTC+1, Johnny InfoSec wrote: >>> >>> Greetings :-) >>> >>> Just got this alert, and was wondering if you could provide some >>> specific guidance on how to investigate (step 1, 2, etc.). >>> >>> New to OSSEC. >>> >>> OSSEC HIDS Notification. >>> >>> 2016 Mar 24 7:49:39 >>> >>> >>> >>> Received From: log->rootcheck >>> >>> Rule: 510 fired (level 7) -> "Host-based anomaly detection event >>> (rootcheck)." >>> >>> Portion of the log(s): >>> >>> >>> >>> Process '13380' hidden from /proc. Possible kernel level rootkit. >>> >>> >>> >>> >>> >>> >>> >>> --END OF NOTIFICATION >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.