You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I did not install the corresponding patched binaries of the corresponding rootkits, just some self-compiled fake modules which do nothing. Even if rootkits would be recognised by the occurrence of the installed patched binaries (netstat, ps, ls, lsmod, ... and friends) and Wazuh would recognise them by FIM checks, it is notwithstanding a good idea also to check for the existence the of loaded kernel modules triggering an alert on specific loaded modules.
User Acceptance Criteria
Check also for loaded kernel modules filtering for the names of the well known rootkit kernel modules
Do not use the lsmod binary for the examination since it could be replaced by the rootkit hiding its own kenel module, use /proc/modules itself.
generate an alert if one of the modules is loaded
Side Note
For testing with fake kernel modules you might consult this web page
Solution Suggestion
I implemented a solution which works and I detected in this connection a bug with CDB-lists.
Add this to agent's ossec.conf. The logger pipes the output into into syslog. I do not use the <full_command> tag for it generating syscheck events which aren't fully parsable as regular events:
Here the rule, it generates level 12 alerts if a rootkit kernel module is loaded. I used CDB lists with the blacklisted rootkit kernel modules which works impeccable with the ossec-logtest tool but not in real live (see bug report #1774). I replaced it by the enumeration of the ROOTKIT_LKM variable and the match tag which works in live. Since it is a level 12 rule it should send an e-mail if a rootkit kernel module is present which works with the <match> but NOT with the <list field="abc"> tag. Now, the rule:
First, sorry for the late answer.
These rules are very interesting. If you want to contribute with our repository you can create PR with your rules and decoders.
Feature Request
Description
I compiled and installed the following fake rootkit kernel modules on a test agent:
I did not install the corresponding patched binaries of the corresponding rootkits, just some self-compiled fake modules which do nothing. Even if rootkits would be recognised by the occurrence of the installed patched binaries (
netstat, ps, ls, lsmod, ...
and friends) and Wazuh would recognise them by FIM checks, it is notwithstanding a good idea also to check for the existence the of loaded kernel modules triggering an alert on specific loaded modules.User Acceptance Criteria
lsmod
binary for the examination since it could be replaced by the rootkit hiding its own kenel module, use/proc/modules
itself.Side Note
For testing with fake kernel modules you might consult this web page
Solution Suggestion
I implemented a solution which works and I detected in this connection a bug with CDB-lists.
ossec.conf
. The logger pipes the output into intosyslog
. I do not use the<full_command>
tag for it generatingsyscheck
events which aren't fully parsable as regular events:decoder
for that specific events (it's my first self-written decoder, feedback would be appreciated if there is optimisation potential):level 12
alerts if arootkit
kernel module is loaded. I usedCDB lists
with the blacklistedrootkit
kernel modules which works impeccable with theossec-logtest
tool but not in real live (see bug report #1774). I replaced it by the enumeration of theROOTKIT_LKM
variable and thematch
tag which works in live. Since it is alevel 12
rule it should send an e-mail if arootkit
kernel module is present which works with the<match>
but NOT with the<list field="abc">
tag. Now, the rule:And yes, feedback about how the decoder and the rule is written is highly welcome!
The text was updated successfully, but these errors were encountered: