Hi all,
I have
wazuh manager version: 4.3.7 installed on ubuntu
I have wazuh agent 4.3.7 installed on ubuntu
How can I get alerts for hidden ports using rootcheck?
Hi Nidhi,
To enable hidden ports scan, please follow the steps below:
1. Enable the check_ports option by modifying the following configuration in your wazuh agent:
<rootcheck>
<disabled>no</disabled>
<check_ports>yes</check_ports>
....
<frequency>43200</frequency>
...
</rootcheck>
2. Restart the wazuh agent: systemctl restart wazuh-agent
Using this configuration, If a hidden port is detected, an alert with the following message will be triggered:
"Port <PORT> hidden Kernel-level rootkit or trojaned version of netstat."
To test this scenario, you can use appropriate tools to hide your process from netstat. Please perform any proof of concept in a separate testing environment to avoid affecting your production environment.
If you have any doubts, please do not hesitate to ask.
I have installed reptile rootkit and did the required configurations as given in wazuh blog:
https://wazuh.com/blog/using-wazuh-rootcheck-to-detect-reptile-rootkit
I used this command to hide : /reptile/reptile_cmd conn <ip> <port> hide
After that when I use : netstat -tun | grep <port> the network connection does not show up.
But I did not get alerts in alerts.json, also I didn't get logs in archives.json for hidden ports.