rootcheck ignore not working with shared configuration
1,000 views
Skip to first unread message
Geoff Nordli
Jan 16, 2023, 2:08:11 PM1/16/23
to Wazuh mailing list
Hi.
I have a false positive with the /bin/diff file. I am trying to ignore
it using the shared configuration for the computer, but it isn't working.
Here is the alert:
Received From: (host) 192.x.x.x->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event
(rootcheck)."
Portion of the log(s):
Trojaned version of file '/bin/diff' detected. Signature used:
'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).
title: Trojaned version of file detected.
file: /bin/diff
Here is the agent.conf file on the agent
<!-- Source file: default/agent.conf -->
<agent_config>
<!-- Shared agent configuration here -->
</agent_config>
<!-- Source file: firewall/agent.conf -->
<agent_config>
<rootcheck>
<ignore>/usr/bin/diff</ignore>
<ignore>/bin/diff</ignore>
</rootcheck>
</agent_config>
Does it look like I am missing anything?
thanks,
Geoff
I have a false positive with the /bin/diff file. I am trying to ignore
it using the shared configuration for the computer, but it isn't working.
Here is the alert:
Received From: (host) 192.x.x.x->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event
(rootcheck)."
Portion of the log(s):
Trojaned version of file '/bin/diff' detected. Signature used:
'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).
title: Trojaned version of file detected.
file: /bin/diff
Here is the agent.conf file on the agent
<!-- Source file: default/agent.conf -->
<agent_config>
<!-- Shared agent configuration here -->
</agent_config>
<!-- Source file: firewall/agent.conf -->
<agent_config>
<rootcheck>
<ignore>/usr/bin/diff</ignore>
<ignore>/bin/diff</ignore>
</rootcheck>
</agent_config>
Does it look like I am missing anything?
thanks,
Geoff
Juan Nicolás Asselle (Nico Asselle)
Jan 16, 2023, 3:10:18 PM1/16/23
to Wazuh mailing list
Hi Geoff,
As documentation states, rootcheck [`ignore`](https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/rootcheck.html#ignore) option only applies to `check_sys`, `check_dev`, `check_files` features, while your alert is related to [`rootkit_trojans`](https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/rootcheck.html#rootkit-trojans). A possible workaround is to create a custom `rootkit_trojans.txt` for your agent group and removing `diff ` related entries from it.
Hope this helps!
Geoff Nordli
Jan 16, 2023, 10:38:25 PM1/16/23
to Wazuh mailing list
Thank you Juan, that makes sense.
Maybe I should look at addressing the issue. This is an Ubuntu 22.04 install. I updated md5sum to virustotal and the file checks out as OK. I assume that this will get fixed in the next release.
Geoff
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6728e2e5-c20b-4d13-baaf-705d3d96a4b0n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages