Hi, I have installed reptile rootkit and did the required configurations as given in wazuh blog:
https://wazuh.com/blog/using-wazuh-rootcheck-to-detect-reptile-rootkit I used this command to hide : */reptile/reptile_cmd conn * *<ip>* *<port>** hide* After that when I use : *netstat -tun | grep **<port>* the network connection does not show up. But I did not get alerts in alerts.json, also I didn't get logs in archives.json for hidden ports. On Tuesday, March 14, 2023 at 5:11:43 PM UTC+5:30 victor....@wazuh.com wrote: > Hi Nidhi, > > To enable hidden ports scan, please follow the steps below: > > > *1. *Enable the check_ports option by modifying the following > configuration in your wazuh agent: > > > *<rootcheck>* > > * <disabled>no</disabled>* > > * <check_ports>yes</check_ports>* > > * ....* > > * <frequency>43200</frequency>* > > * ...* > > *</rootcheck>* > > > *2. *Restart the wazuh agent: systemctl restart wazuh-agent > > > > Using this configuration, If a hidden port is detected, an alert with the > following message will be triggered: > > > "*Port <PORT> hidden Kernel-level rootkit or trojaned version of netstat* > ." > > > To test this scenario, you can use appropriate tools to hide your process > from netstat. Please perform any proof of concept in a separate testing > environment to avoid affecting your production environment. > > > > If you have any doubts, please do not hesitate to ask. > > > On Wednesday, March 1, 2023 at 7:27:25 AM UTC Nidhi Soni wrote: > >> Hi all, >> >> >> I have wazuh manager version: 4.3.7 installed on ubuntu >> >> I have wazuh agent 4.3.7 installed on ubuntu >> >> >> How can I get alerts for hidden ports using rootcheck? >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/e6e6c161-9c2a-4bf0-88c9-2ad7d6c1caban%40googlegroups.com.