O'Reilly logo

Instant OSSEC Host-based Intrusion Detection by Brad Lhotsky

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Detecting rootkits and anomalies (Simple)

OSSEC ships with a rootkit detection module that looks specifically for traces of rootkits, malware, and Trojans on configured systems. This recipe looks briefly at configuring the rootcheck module.

Getting ready

The OSSEC syscheck daemon runs the rootkit module. There are a few components of the rootkit detection module, all configurable individually. They are as follows:

  • File detection: This component looks for malicious files at known locations
  • /dev check: This component looks in /dev for executable files
  • PID check: This component looks for processes hidden from ps
  • Port check: This component looks for open ports hidden from netstat
  • Interface check: This component looks for an interface in promiscuous mode ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required