Rootkit check on linux-vserver hosts

41 views
Skip to first unread message

Victor

unread,
Oct 26, 2009, 8:08:01 PM10/26/09
to ossec-list
Hi all,
I'm trying out OSSEC for the first time and was pleasantly surprised
by how easy it is to use and set up. However, I've come across a
problem I'm not sure how to address - I run linux-vserver, and because
of this, OSSEC sends a lot of these alerts:

Received From: (lab07.lab) 192.168.2.107->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event
(rootcheck)."
Portion of the log(s):

Port '33916'(tcp) hidden. Kernel-level rootkit or trojaned version of
netstat.

I found a previous post, and the answer back then was just to disable
rootkit detection:
http://www.mail-archive.com/ossec...@googlegroups.com/msg00011.html

Is this still the only way to get around this netstat error in OSSEC?

Thanks,
Victor

John A. Sullivan III

unread,
Oct 27, 2009, 1:28:18 PM10/27/09
to ossec...@googlegroups.com
Hello, Victor. If I recall correctly, that error is simply a
consequence of the way VServer guests work (although I'm quite rusty on
the details). We disabled it with a rule which reads:

<!--We will need a rule in /usr/local/ossec/rules/local_rules.xml to
disregard
netstat hidden port alerts on vserver guests as follows. Subsequent
vserver guests will each need a hostname entry: -->
<rule id="100005" level="0">
<if_sid>510</if_sid>
<hostname>name1</hostname>
<hostname>name2</hostname>
<hostname>name3</hostname>
<regex>tcp.*hidden.*netstat</regex>
<description>Stop netstat rootkit alerts
on vserver guests</description>
</rule>

In our case, we decided to do all OSSEC monitoring from the VServer
host. The only service we wanted to activate was rootkit which I
believe also comes in a standalone version. Unfortunately, in our
version of the kernel (needed to deal with a critical iSCSI bug),
rootkit causes kernel panics so we are not using it. Hope this helps -
John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsul...@opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

Victor

unread,
Nov 5, 2009, 5:18:28 PM11/5/09
to ossec-list
On Oct 27, 11:28 am, "John A. Sullivan III"
<jsulli...@opensourcedevel.com> wrote:
> On Mon, 2009-10-26 at 17:08 -0700, Victor wrote:
> > Hi all,
> > I'm trying out OSSEC for the first time and was pleasantly surprised
> > by how easy it is to use and set up.  However, I've come across a
> > problem I'm not sure how to address - I run linux-vserver, and because
> > of this, OSSEC sends a lot of these alerts:
>
> > Received From: (lab07.lab) 192.168.2.107->rootcheck
> > Rule: 510 fired (level 7) -> "Host-based anomaly detection event
> > (rootcheck)."
> > Portion of the log(s):
>
> > Port '33916'(tcp) hidden. Kernel-level rootkit or trojaned version of
> > netstat.
>
> > I found a previous post, and the answer back then was just to disable
> > rootkit detection:
> >http://www.mail-archive.com/ossec...@googlegroups.com/msg00011.html
>
> > Is this still the only way to get around this netstat error in OSSEC?
>
> > Thanks,
> > Victor
>
> Hello, Victor.  If I recall correctly, that error is simply a
> consequence of the wayVServerguests work (although I'm quite rusty on
> the details).  We disabled it with a rule which reads:
>
>   <!--We will need a rule in /usr/local/ossec/rules/local_rules.xml to
> disregard
>   netstat hidden port alerts onvserverguests as follows.  Subsequent
>  vserverguests will each need a hostname entry: -->
>     <rule id="100005" level="0">
>      <if_sid>510</if_sid>
>      <hostname>name1</hostname>
>      <hostname>name2</hostname>
>      <hostname>name3</hostname>
>      <regex>tcp.*hidden.*netstat</regex>
>      <description>Stop netstat rootkit alerts
>      onvserverguests</description>
>     </rule>
>
> In our case, we decided to do all OSSEC monitoring from theVServer
> host.  The only service we wanted to activate was rootkit which I
> believe also comes in a standalone version.  Unfortunately, in our
> version of the kernel (needed to deal with a critical iSCSI bug),
> rootkit causes kernel panics so we are not using it.  Hope this helps -
> John
> --
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsulli...@opensourcedevel.com
>
> http://www.spiritualoutreach.com
> Making Christianity intelligible to secular society

John,
Thanks for this. I left off the <hostname> tag hoping that it would
match the regex from all hosts, but I still received these types of
alerts. I added one hostname to see if that'll help.

I'm not sure I understand why this tag is required, though. Can
someone explain how these local rules work?

Thanks,
Victor

John A. Sullivan III

unread,
Nov 5, 2009, 9:17:42 PM11/5/09
to ossec...@googlegroups.com
> ><snip>

>
> John,
> Thanks for this. I left off the <hostname> tag hoping that it would
> match the regex from all hosts, but I still received these types of
> alerts. I added one hostname to see if that'll help.
>
> I'm not sure I understand why this tag is required, though. Can
> someone explain how these local rules work?
>
> Thanks,
> Victor
I leave the explanation to those who are more knowledgeable but I don't
know that making it match all hosts is a good idea. What about those
that are not VServer guests? These would be legitimate alerts for those

- John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsul...@opensourcedevel.com

Daniel Cid

unread,
Nov 6, 2009, 11:18:19 AM11/6/09
to ossec...@googlegroups.com
Hi Victor,

That rule worked to John by luck :) Maybe because rootcheck only alert
once (per port per host) on
that issue, but it is probably still happening if they look at the
rootcheck-control tool.

First, to match on multiple hostnames you need to use a pipe "|" to
separate them:

<hostname>name1|name2|name3</hostname>

The OSSEC regex also expects a backslash before them, like:

<regex>tcp\+hidden\+netstat</regex>


I would change the rule to:

<rule id="100005" level="0">
<if_sid>510</if_sid>

<hostname>name1|name2|name3</hostname>
<match>trojaned version of netstat</match>
<description>Stop netstat rootkit alerts on vserver guests</description>
</rule>

*but you can remove the <hostname> tag if you want for all your systems.


Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

Victor

unread,
Nov 9, 2009, 10:48:24 AM11/9/09
to ossec-list
Ok, that makes sense. I was still getting the alerts with John's rule,
but your suggestion seems promising.

Did you mean to leave out the regex in your example rule? Is it
because sid 510 is always the tcp..hidden..netstat rule and the regex
is redundant and unnecessary? Also, your suggested regex didn't allow
OSSEC to start, but I think you probably meant to include a period:

<regex>tcp\.+hidden\.+netstat</regex>

Thanks!
Victor

On Nov 6, 10:18 am, Daniel Cid <daniel....@gmail.com> wrote:
> Hi Victor,
>
> That rule worked to John by luck :) Maybe because rootcheck only alert
> once (per port per host) on
> that issue, but it is probably still happening if they look at the
> rootcheck-control tool.
>
> First, to match on multiple hostnames you need to use a pipe "|" to
> separate them:
>
> <hostname>name1|name2|name3</hostname>
>
> The OSSEC regex also expects a backslash before them, like:
>
> <regex>tcp\+hidden\+netstat</regex>
>
> I would change the rule to:
>
> <rule id="100005" level="0">
>     <if_sid>510</if_sid>
>     <hostname>name1|name2|name3</hostname>
>     <match>trojaned version of netstat</match>
>     <description>Stop netstat rootkit alerts onvserverguests</description>

Mirkonin

unread,
Nov 9, 2009, 5:13:12 PM11/9/09
to ossec...@googlegroups.com
Is there a log generated when an agent goes inactive?

I had an issue with my agents and I would like to set up an alert

Thanks

Daniel Cid

unread,
Nov 18, 2009, 2:46:37 PM11/18/09
to ossec...@googlegroups.com
Hey,

Yes, you should get the alert id 504 (agent disconnected).

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

Reply all
Reply to author
Forward
0 new messages