Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#10 Modularize rootkits signatures

main
closed
unSpawn
Rkhunter (37)
5
2008-02-20
2007-07-25
rabbler
No

I wouldn't mind looking into this myself, but I think it would be a great to have the "default rookit"'s modularized into single files and not just lumped into the executable script.

This would make it much easier for additions and changes, and perhaps setup a signature submission much like snort.

Correct me if I am wrong but I do not see a file in the db directory to add files to be scanned.

Thanks.

Discussion

  • unSpawn
    unSpawn
    2007-07-25

    Logged In: YES
    user_id=600864
    Originator: NO

    Hello Rabbler,

    > I wouldn't mind looking into this myself,
    We don't mind either :-]

    > I think it would be a great to have the "default rookit"'s modularized
    All sigs in one .dat file would be more efficient wrt updates indeed.
    If you fancy working on it: a shell script demo or patch would definately be appreciated.

    Cheers, unSpawn

     
  • rabbler
    rabbler
    2007-08-10

    Logged In: YES
    user_id=1804236
    Originator: YES

    So after a few hours at work I finally got around to dissecting the rkhunter bash script, and attempted and for the most part succeeded what I had planned to do.

    I took into account your suggestion about putting everything into one dat file and determined that would be only a bit less messy than it was before.

    What I ended up doing was creating a method which gets executed, arbitrarily, during the additional_rootkit_checks() method. This method, possible_rootkit_custom_definitions_checks(), gatherers the names of all the files in a predetermined directory, ${RKHINSTALLDIR}/var/lib/rkhunter/db/definitions/*, and imports the definition files.

    This way eliminates having to add the path definitions and execution of scanrootkit in two separate places. I understand that its probably cleaner to do it the former way when trying to put everything in one file, but for individual files this is much easier. The logistics of updating multiple files might be more complicated than a single .dat file, but thats nothing a rsync or just downloading and extracting a tar file couldn't handle. Im sure the paths could

    Let me know what you all think.

    PS. I hate BASH...

    rkhunter code:
    
    possible\_rootkit\_custom\_definitions\_checks\(\) \{
    
    display --to SCREEN+LOG --type PLAIN --nl --screen-indent 2 CUSTOM\_START
    
    for FILEPATH in $\{DB\_PATH\}/var/lib/rkhunter/db/definitions/\*
    do
    display --to SCREEN+LOG --type PLAIN --result OK --screen-indent 4 --log-indent $
    . $FILEPATH
    
    \#Runs method in definition based on file name
    script\_method=\`basename "$FILEPATH"\`
    $script\_method
    done
    
    return
    \}
    

    Add to additional_rootkit_checks(), not that the location matters:

    possible_rootkit_custom_definitions_checks

    en definition entries:
    
    CUSTOM\_START:Performing custom definition check
    CUSTOM\_DEFINITION\_FILE:Adding Custom Definition: $1
    

    Definition Example:
    # cat custom_test
    custom_test() {

    SCAN_ROOTKIT="test"
    SCAN_FILES="${RKHROOTDIR}/bin/bash
    ${RKHROOTDIR}/bin/ls"

    #SCAN_DIRS="${RKHROOTDIR}/bin"
    scanrootkit
    }

    ls definitions/
    custom_test custom_test2

    ./rkhunter --configfile ../etc/rkhunter.conf --enable additional_rkts
    [ Rootkit Hunter version 1.3.0 ]

    Checking for rootkits...

    Performing additional rootkit checks
    Suckit Rookit additional checks [ OK ]
    Checking for possible rootkit files and directories [ None found ]
    Checking for possible rootkit strings [ None found ]

    Performing custom definition check
    Adding Custom Definition: /tmp/rkhunter/usr/local/var/lib/rkhunter/db/definitions/custom_test[ OK ]
    test [ Warning ]
    Adding Custom Definition: /tmp/rkhunter/usr/local/var/lib/rkhunter/db/definitions/custom_test2[ OK ]
    blah [ Warning ]

    System checks summary

    File properties checks...
    All checks skipped

    Rootkit checks...
    Rootkits checked : 46
    Possible rootkits: 2
    Rootkit names : test, blah

    Applications checks...
    All checks skipped

    The system checks took: 9 seconds

    All results have been written to the logfile (/var/log/rkhunter.log)

    One or more warnings have been found while checking the system.
    Please check the log file (/var/log/rkhunter.log)


     
  • rabbler
    rabbler
    2007-08-11

    • labels: --> Rkhunter
    • priority: 5 --> 6
    • status: open --> pending
     
  • rabbler
    rabbler
    2007-08-11

    • status: pending --> open
     
  • unSpawn
    unSpawn
    2008-02-20

    • assigned_to: nobody --> unspawn
    • milestone: --> main
    • priority: 6 --> 5
    • status: open --> closed
     
  • unSpawn
    unSpawn
    2008-02-20

    Logged In: YES
    user_id=600864
    Originator: NO

    Please see issue 1775081 for closing comments.