Hi Nidhi,
To enable hidden ports scan, please follow the steps below: *1. *Enable the check_ports option by modifying the following configuration in your wazuh agent: *<rootcheck>* * <disabled>no</disabled>* * <check_ports>yes</check_ports>* * ....* * <frequency>43200</frequency>* * ...* *</rootcheck>* *2. *Restart the wazuh agent: systemctl restart wazuh-agent Using this configuration, If a hidden port is detected, an alert with the following message will be triggered: "*Port <PORT> hidden Kernel-level rootkit or trojaned version of netstat*." To test this scenario, you can use appropriate tools to hide your process from netstat. Please perform any proof of concept in a separate testing environment to avoid affecting your production environment. If you have any doubts, please do not hesitate to ask. On Wednesday, March 1, 2023 at 7:27:25 AM UTC Nidhi Soni wrote: > Hi all, > > > I have wazuh manager version: 4.3.7 installed on ubuntu > > I have wazuh agent 4.3.7 installed on ubuntu > > > How can I get alerts for hidden ports using rootcheck? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/dfac8d61-7dbb-4531-bf9d-e0474bea1786n%40googlegroups.com.
