Getting Rule: 521 fired (level 11) -> "Possible kernel level rootkit"
735 views
Skip to first unread message
Manish Pansiniya
Apr 1, 2024, 9:20:05 AM4/1/24
to Wazuh | Mailing List
Hi Support Team,
I am getting below error on my Wazuh
Rule: 521 fired (level 11) -> "Possible kernel level rootkit"
Portion of the log(s):
Anomaly detected in file '/var/lib/elasticsearch/nodes/0/indices/wcIJRpExSBS8Mot-NRIvMA/1/index/.es_temp_file'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit.
title: Anomaly detected in file '/var/lib/elasticsearch/nodes/0/indices/wcIJRpExSBS8Mot-NRIvMA/1/index/.es_temp_file'.
Portion of the log(s):
Anomaly detected in file '/var/lib/elasticsearch/nodes/0/indices/wcIJRpExSBS8Mot-NRIvMA/1/index/.es_temp_file'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit.
title: Anomaly detected in file '/var/lib/elasticsearch/nodes/0/indices/wcIJRpExSBS8Mot-NRIvMA/1/index/.es_temp_file'.
What needs to be checked as I could not find this file in this location. How can I remove this error.
Kind Regards,
Manish
Stuti Gupta
Apr 12, 2024, 1:09:55 AM4/12/24
to Wazuh | Mailing List
Hi Manish Pansiniya
Sorry for the late response.
It seems the error you're seeing could be a false positive. When Wazuh detects a file during a directory listing but fails to find it when performing a detailed file check (stat), it might trigger this warning. This often happens with temporary files or those quickly removed by applications.
To verify, can you check if the file is visible with "ls -la var/lib/elasticsearch/nodes/0/indices/wcIJRpExSBS8Mot-NRIvMA/1/index/ "?Also, what's the output of "stat var/lib/elasticsearch/nodes/0/indices/wcIJRpExSBS8Mot-NRIvMA/1/index/.es_temp_file "? This will help us understand the issue better.
In cases of false positives, you can create a rule to ignore them. For instance:
<rule id="100100" level="0">
<if_group>rootcheck</if_group>
<match> var/lib/elasticsearch/nodes/0/indices/wcIJRpExSBS8Mot-NRIvMA/1/index/.es_temp_file </match>
<description>Ignore false positive for var/lib/elasticsearch/nodes/0/indices/wcIJRpExSBS8Mot-NRIvMA/1/index/.es_temp_file </description>
</rule>
This rule sets the level to 0 and uses a regex pattern to match the logs that are false positives.
You can refer to https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/rootkits-behavior-detection.html#check-hidden-files-using-system-calls
Let me know if you need further assistance or if there's anything else we should investigate.
Regards
Sorry for the late response.
It seems the error you're seeing could be a false positive. When Wazuh detects a file during a directory listing but fails to find it when performing a detailed file check (stat), it might trigger this warning. This often happens with temporary files or those quickly removed by applications.
To verify, can you check if the file is visible with "ls -la var/lib/elasticsearch/nodes/0/indices/wcIJRpExSBS8Mot-NRIvMA/1/index/ "?Also, what's the output of "stat var/lib/elasticsearch/nodes/0/indices/wcIJRpExSBS8Mot-NRIvMA/1/index/.es_temp_file "? This will help us understand the issue better.
In cases of false positives, you can create a rule to ignore them. For instance:
<rule id="100100" level="0">
<if_group>rootcheck</if_group>
<match> var/lib/elasticsearch/nodes/0/indices/wcIJRpExSBS8Mot-NRIvMA/1/index/.es_temp_file </match>
<description>Ignore false positive for var/lib/elasticsearch/nodes/0/indices/wcIJRpExSBS8Mot-NRIvMA/1/index/.es_temp_file </description>
</rule>
This rule sets the level to 0 and uses a regex pattern to match the logs that are false positives.
You can refer to https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/rootkits-behavior-detection.html#check-hidden-files-using-system-calls
Let me know if you need further assistance or if there's anything else we should investigate.
Regards
Reply all
Reply to author
Forward
0 new messages