How to research "Host-based anomaly detection event (rootcheck)."

[Johnny InfoSec]

Greetings :-)

Just got this alert, and was wondering if you could provide some specific guidance on how to investigate (step 1, 2, etc.).

New to OSSEC.

OSSEC HIDS Notification.

2016 Mar 24 7:49:39

 

Received From: log->rootcheck

Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."

Portion of the log(s):

 

Process '13380' hidden from /proc. Possible kernel level rootkit.

 

 

 

 --END OF NOTIFICATION

[Jesus Linares]

Hi, 

that alert is related to a kernel-level check (anomaly detection checks, not rootkit_files.txt or rootkit_trojans.txt). You can see more details in the code: src/rootcheck/check_rc_pids.c. Line 256: "Check if the pid is a thread (not showing in /proc".

The code inspects all process IDs (PID), and use the getsid, getpgid, and kill system calls to find all running processes. If the PID is being used, but the ps command cannot see it, a kernel-level rootkit or a Trojan version of ps might be running. It is also compared the output of getsid, getpgid, and kill system calls looking for discrepancies.

So, your process 13380 is not in /proc. Try to find it using ps -e | grep 892

Regards,

Jesus Linares.

[Clinton Parham]

I also get these alerts periodically. Running 'ps' afterwards doesn't ever find anything... rather frustrating.

Is there another way to figure out what app/code is triggering them? Would be great if ossec could capture more about the process when it's encountered.

{ "rule": { "level": 7, "comment": "Host-based anomaly detection event (rootcheck).", "sidid": 510 }, "location": "(i-0747b50906723111c) any->rootcheck", "full_log": "Process '29317' hidden from /proc. Possible kernel level rootkit." }

[Clinton Parham]

Opened issue to discuss enhancements with dev team: https://github.com/ossec/ossec-hids/issues/1242