Detection for hidden ports

53 views
Skip to first unread message

Nidhi Soni

unread,
Mar 1, 2023, 2:27:25 AM3/1/23
to ossec-list

Hi all,


I have wazuh manager version: 4.3.7 installed on ubuntu

I have wazuh agent 4.3.7 installed on ubuntu


How can I get alerts for hidden ports using rootcheck?

victor....@wazuh.com

unread,
Mar 14, 2023, 7:41:43 AM3/14/23
to ossec-list

Hi Nidhi,

To enable hidden ports scan, please follow the steps below:


1. Enable the check_ports option by modifying the following configuration in your wazuh agent:


<rootcheck>

  <disabled>no</disabled>

  <check_ports>yes</check_ports>

  ....

  <frequency>43200</frequency>

  ...

</rootcheck>


2. Restart the wazuh agent: systemctl restart wazuh-agent



Using this configuration, If a hidden port is detected, an alert with the following message will be triggered:


"Port <PORT> hidden Kernel-level rootkit or trojaned version of netstat."


To test this scenario, you can use appropriate tools to hide your process from netstat. Please perform any proof of concept in a separate testing environment to avoid affecting your production environment.



If you have any doubts, please do not hesitate to ask.

Nidhi Soni

unread,
Mar 30, 2023, 12:09:38 AM3/30/23
to ossec-list
Hi,

I have installed reptile rootkit and did the required configurations as given in wazuh blog:

https://wazuh.com/blog/using-wazuh-rootcheck-to-detect-reptile-rootkit


I used this command to hide : /reptile/reptile_cmd conn <ip> <port> hide

After that when I use : netstat -tun | grep <port> the network connection does not show up.


But I did not get alerts in alerts.json, also I didn't get logs in archives.json for hidden ports.

Reply all
Reply to author
Forward
0 new messages