Modularize rootkits signatures
Brought to you by:
dogsbody
Menu
▾
▴
#10 Modularize rootkits signatures
I wouldn't mind looking into this myself, but I think it would be a great to have the "default rookit"'s modularized into single files and not just lumped into the executable script.
This would make it much easier for additions and changes, and perhaps setup a signature submission much like snort.
Correct me if I am wrong but I do not see a file in the db directory to add files to be scanned.
Thanks.
Logged In: YES
user_id=600864
Originator: NO
Hello Rabbler,
> I wouldn't mind looking into this myself,
We don't mind either :-]
> I think it would be a great to have the "default rookit"'s modularized
All sigs in one .dat file would be more efficient wrt updates indeed.
If you fancy working on it: a shell script demo or patch would definately be appreciated.
Cheers, unSpawn
Logged In: YES
user_id=1804236
Originator: YES
So after a few hours at work I finally got around to dissecting the rkhunter bash script, and attempted and for the most part succeeded what I had planned to do.
I took into account your suggestion about putting everything into one dat file and determined that would be only a bit less messy than it was before.
What I ended up doing was creating a method which gets executed, arbitrarily, during the additional_rootkit_checks() method. This method, possible_rootkit_custom_definitions_checks(), gatherers the names of all the files in a predetermined directory, ${RKHINSTALLDIR}/var/lib/rkhunter/db/definitions/*, and imports the definition files.
This way eliminates having to add the path definitions and execution of scanrootkit in two separate places. I understand that its probably cleaner to do it the former way when trying to put everything in one file, but for individual files this is much easier. The logistics of updating multiple files might be more complicated than a single .dat file, but thats nothing a rsync or just downloading and extracting a tar file couldn't handle. Im sure the paths could
Let me know what you all think.
PS. I hate BASH...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rkhunter code:
possible_rootkit_custom_definitions_checks() {
display --to SCREEN+LOG --type PLAIN --nl --screen-indent 2 CUSTOM_START
for FILEPATH in ${DB_PATH}/var/lib/rkhunter/db/definitions/*
do
display --to SCREEN+LOG --type PLAIN --result OK --screen-indent 4 --log-indent $
. $FILEPATH
#Runs method in definition based on file name
script_method=`basename "$FILEPATH"`
$script_method
done
return
}
en definition entries:
CUSTOM_START:Performing custom definition check
CUSTOM_DEFINITION_FILE:Adding Custom Definition: $1
~~~~~~~~~~~~~~~~~~~~~
Definition Example:
# cat custom_test
custom_test() {
SCAN_ROOTKIT="test"
SCAN_FILES="${RKHROOTDIR}/bin/bash
${RKHROOTDIR}/bin/ls"
#SCAN_DIRS="${RKHROOTDIR}/bin"
scanrootkit
}
ls definitions/
custom_test custom_test2
./rkhunter --configfile ../etc/rkhunter.conf --enable additional_rkts
[ Rootkit Hunter version 1.3.0 ]
Checking for rootkits...
Performing additional rootkit checks
Suckit Rookit additional checks [ OK ]
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ None found ]
Performing custom definition check
Adding Custom Definition: /tmp/rkhunter/usr/local/var/lib/rkhunter/db/definitions/custom_test[ OK ]
test [ Warning ]
Adding Custom Definition: /tmp/rkhunter/usr/local/var/lib/rkhunter/db/definitions/custom_test2[ OK ]
blah [ Warning ]
System checks summary
File properties checks...
All checks skipped
Rootkit checks...
Rootkits checked : 46
Possible rootkits: 2
Rootkit names : test, blah
Applications checks...
All checks skipped
The system checks took: 9 seconds
All results have been written to the logfile (/var/log/rkhunter.log)
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Logged In: YES
user_id=600864
Originator: NO
Please see issue 1775081 for closing comments.