Rootcheck Output Samples

This document provides examples of alerts generated by the rootcheck module for various detection scenarios.

Note: Wazuh 5.0 uses JSON format with ECS (Elastic Common Schema) for alerts stored in /var/ossec/logs/alerts/alerts.json. All examples in this document are from actual alerts captured in a Wazuh deployment.

Alert Structure

Rootcheck alerts follow the ECS (Elastic Common Schema) format:

json

{
  "@timestamp": "2026-01-16T00:12:30Z",
  "wazuh": {
    "protocol": {
      "queue": 57,
      "location": "rootcheck"
    },
    "cluster": {
      "name": "wazuh"
    },
    "integration": {
      "category": "security",
      "name": "wazuh-rootcheck",
      "decoders": ["core-wazuh-message", "integrations", "wazuh-rootcheck"]
    }
  },
  "agent": {
    "name": "ubuntu22",
    "version": "Wazuh v5.0.0",
    "id": "002"
  },
  "host": {
    "os": {
      "name": "Ubuntu",
      "version": "22.04.5 LTS",
      "platform": "ubuntu",
      "kernel": "Linux |ubuntu22 |6.17.9-76061709-generic |..."
    },
    "ip": ["172.20.0.2"],
    "architecture": "x86_64"
  },
  "event": {
    "original": "<detection message>",
    "category": ["host", "malware"],
    "dataset": "wazuh.rootcheck",
    "kind": "alert",
    "type": ["info", "indicator"],
    "outcome": "success"
  },
  "data_stream": {
    "dataset": "wazuh.rootcheck",
    "type": "logs"
  },
  "wazuh_rootcheck": {
    "anomaly": {
      "type": "<anomaly-type>"
    }
  }
}

Detection Examples

1. Suspicious File in /dev Directory

Scenario: Malware hides files in the /dev directory

Alert:

json

{
  "@timestamp": "2026-01-16T00:00:40Z",
  "wazuh": {
    "protocol": {
      "queue": 57,
      "location": "rootcheck"
    },
    "cluster": {
      "name": "wazuh"
    },
    "integration": {
      "category": "security",
      "name": "wazuh-rootcheck",
      "decoders": ["core-wazuh-message", "integrations", "wazuh-rootcheck"]
    }
  },
  "agent": {
    "name": "ubuntu22",
    "version": "Wazuh v4.14.3",
    "id": "002"
  },
  "host": {
    "os": {
      "name": "Ubuntu",
      "version": "22.04.5 LTS",
      "full": "Jammy Jellyfish",
      "platform": "ubuntu",
      "kernel": "Linux |ubuntu22 |6.17.9-76061709-generic |#202511241048~1764607909~24.04~df6b2b6 SMP PREEMPT_DYNAMIC Mon D |x86_64"
    },
    "ip": ["172.20.0.2"],
    "architecture": "x86_64"
  },
  "event": {
    "original": "File '/dev/test_rootcheck' present on /dev. Possible hidden file.",
    "category": ["host", "malware", "file"],
    "dataset": "wazuh.rootcheck",
    "kind": "alert",
    "type": ["info", "indicator"],
    "outcome": "success"
  },
  "data_stream": {
    "dataset": "wazuh.rootcheck",
    "type": "logs"
  },
  "file": {
    "path": "/dev/test_rootcheck",
    "directory": "/dev",
    "name": "test_rootcheck"
  },
  "wazuh_rootcheck": {
    "anomaly": {
      "type": "dev-file"
    }
  }
}

Explanation:

/dev should only contain device files
Regular files or hidden files are suspicious
Common technique to hide malware or data
wazuh_rootcheck.anomaly.type: dev-file

2. Network Interface in Promiscuous Mode

Scenario: Network interface configured to capture all traffic

Alert:

json

{
  "@timestamp": "2026-01-16T17:06:33Z",
  "wazuh": {
    "protocol": {
      "queue": 57,
      "location": "rootcheck"
    },
    "cluster": {
      "name": "wazuh"
    },
    "integration": {
      "category": "security",
      "name": "wazuh-rootcheck",
      "decoders": ["core-wazuh-message", "integrations", "wazuh-rootcheck"]
    }
  },
  "agent": {
    "name": "suse-15.6_v2",
    "version": "Wazuh v4.14.1",
    "id": "005"
  },
  "host": {
    "os": {
      "name": "SLES",
      "version": "15-SP6",
      "platform": "sles",
      "kernel": "Linux |suse-15.6_v2 |6.17.9-76061709-generic |#202511241048~1764607909~24.04~df6b2b6 SMP PREEMPT_DYNAMIC Mon D |x86_64"
    },
    "ip": ["172.20.0.4"],
    "architecture": "x86_64"
  },
  "event": {
    "original": "Interface 'eth1' in promiscuous mode, but ifconfig is not showing it(probably trojaned).",
    "category": ["host", "malware"],
    "dataset": "wazuh.rootcheck",
    "kind": "alert",
    "type": ["info", "indicator"],
    "outcome": "success"
  },
  "data_stream": {
    "dataset": "wazuh.rootcheck",
    "type": "logs"
  }
}

Explanation:

Network interface capturing all packets, not just those addressed to it
May indicate packet sniffing or network monitoring tool
Can be legitimate (e.g., network monitoring tools) but requires investigation

Note about "ifconfig not showing it": The message mentions ifconfig not showing the promiscuous mode. This can occur for two reasons:

Legacy command issue (common): Modern Linux distributions use ip command instead of ifconfig. The rootcheck module tries to cross-verify using ifconfig, but if it's not installed, it reports this as suspicious. This is a false positive on systems without net-tools package.
Actual trojaned tools (rare): System commands have been replaced with trojaned versions that hide the promiscuous mode.

To verify the actual status on modern systems:

bash

ip link show eth1 | grep PROMISC

If you see the PROMISC flag and ifconfig doesn't exist, this is expected behavior on modern systems and not necessarily malicious.

3. Hidden Process Detection

Scenario: Process is hidden from /proc filesystem, indicating kernel-level rootkit

Alert:

json

{
  "@timestamp": "2026-01-16T14:22:15Z",
  "wazuh": {
    "protocol": {
      "queue": 57,
      "location": "rootcheck"
    },
    "cluster": {
      "name": "wazuh"
    },
    "integration": {
      "category": "security",
      "name": "wazuh-rootcheck",
      "decoders": ["core-wazuh-message", "integrations", "wazuh-rootcheck"]
    }
  },
  "agent": {
    "name": "ubuntu22",
    "version": "Wazuh v5.0.0",
    "id": "002"
  },
  "host": {
    "os": {
      "name": "Ubuntu",
      "version": "22.04.5 LTS",
      "platform": "ubuntu",
      "kernel": "Linux |ubuntu22 |6.17.9-76061709-generic |#202511241048~1764607909~24.04~df6b2b6 SMP PREEMPT_DYNAMIC Mon D |x86_64"
    },
    "ip": ["172.20.0.2"],
    "architecture": "x86_64"
  },
  "event": {
    "original": "Process '1234' hidden from /proc. Possible kernel level rootkit.",
    "category": ["host", "malware", "process"],
    "dataset": "wazuh.rootcheck",
    "kind": "alert",
    "type": ["info", "indicator"],
    "outcome": "success"
  },
  "data_stream": {
    "dataset": "wazuh.rootcheck",
    "type": "logs"
  },
  "process": {
    "pid": 1234
  },
  "wazuh_rootcheck": {
    "anomaly": {
      "type": "hidden-process"
    }
  }
}

Explanation:

Process exists in the system but is hidden from the /proc filesystem
Strong indicator of kernel-level rootkit
Process can be detected by system calls (kill, getsid) but not visible in /proc
wazuh_rootcheck.anomaly.type: hidden-process
Requires immediate investigation as this is a critical security indicator

Alternative Detection Messages: Rootcheck may also detect hidden processes with these variations:

Process 'PID' hidden from kill (X) or getsid (Y). Possible kernel-level rootkit.
Process 'PID' hidden from kill (X), getsid (Y) or getpgid. Possible kernel-level rootkit.
Process 'PID' hidden from ps. Possible trojaned version installed.

4. Hidden Port Detection

Scenario: Network port is listening but hidden from netstat output

Alert:

json

{
  "@timestamp": "2026-01-16T15:45:28Z",
  "wazuh": {
    "protocol": {
      "queue": 57,
      "location": "rootcheck"
    },
    "cluster": {
      "name": "wazuh"
    },
    "integration": {
      "category": "security",
      "name": "wazuh-rootcheck",
      "decoders": ["core-wazuh-message", "integrations", "wazuh-rootcheck"]
    }
  },
  "agent": {
    "name": "ubuntu22",
    "version": "Wazuh v5.0.0",
    "id": "002"
  },
  "host": {
    "os": {
      "name": "Ubuntu",
      "version": "22.04.5 LTS",
      "platform": "ubuntu",
      "kernel": "Linux |ubuntu22 |6.17.9-76061709-generic |#202511241048~1764607909~24.04~df6b2b6 SMP PREEMPT_DYNAMIC Mon D |x86_64"
    },
    "ip": ["172.20.0.2"],
    "architecture": "x86_64"
  },
  "event": {
    "original": "Port '31337'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.",
    "category": ["host", "malware", "network"],
    "dataset": "wazuh.rootcheck",
    "kind": "alert",
    "type": ["info", "indicator"],
    "outcome": "success"
  },
  "data_stream": {
    "dataset": "wazuh.rootcheck",
    "type": "logs"
  },
  "destination": {
    "port": 31337
  },
  "network": {
    "transport": "tcp"
  },
  "wazuh_rootcheck": {
    "anomaly": {
      "type": "hidden-port"
    }
  }
}

Explanation:

Port is actively listening and accepting connections
Port is not shown in netstat output (hidden from system administrators)
Strong indicator of kernel-level rootkit or compromised netstat binary
Common technique used by backdoors and rootkits to hide C2 channels
wazuh_rootcheck.anomaly.type: hidden-port
Port numbers commonly used by malware (e.g., 31337, 12345, 1337)

Detection Method: Rootcheck detects hidden ports by:

Attempting to connect to commonly used backdoor ports
Checking if netstat shows the listening port
If connection succeeds but netstat doesn't show it, the port is hidden

5. World-Writable File Owned by Root

Scenario: System file has dangerous permissions

Alert:

json

{
  "@timestamp": "2026-01-16T00:12:30Z",
  "wazuh": {
    "protocol": {
      "queue": 57,
      "location": "rootcheck"
    },
    "cluster": {
      "name": "wazuh"
    },
    "integration": {
      "category": "security",
      "name": "wazuh-rootcheck",
      "decoders": ["core-wazuh-message", "integrations", "wazuh-rootcheck"]
    }
  },
  "agent": {
    "name": "agent-suse15-7",
    "version": "Wazuh v5.0.0",
    "id": "003"
  },
  "host": {
    "os": {
      "name": "SLES",
      "version": "15-SP7",
      "platform": "sles",
      "kernel": "Linux |suse-15.7 |6.17.9-76061709-generic |#202511241048~1764607909~24.04~df6b2b6 SMP PREEMPT_DYNAMIC Mon D |x86_64"
    },
    "ip": ["172.20.0.3"],
    "architecture": "x86_64"
  },
  "event": {
    "original": "File '/tmp/wazuh_rootcheck_test_177799/sys_test/world_writable_root_file' is owned by root and has written permissions to anyone.",
    "category": ["host", "configuration", "file"],
    "dataset": "wazuh.rootcheck",
    "kind": "alert",
    "type": ["info"],
    "outcome": "success"
  },
  "data_stream": {
    "dataset": "wazuh.rootcheck",
    "type": "logs"
  },
  "file": {
    "path": "/tmp/wazuh_rootcheck_test_177799/sys_test/world_writable_root_file",
    "directory": "/tmp/wazuh_rootcheck_test_177799/sys_test",
    "name": "world_writable_root_file",
    "owner": "root"
  },
  "wazuh_rootcheck": {
    "file": {
      "permissions": "1777"
    },
    "vulnerability": {
      "type": "world-writable"
    }
  },
  "related": {
    "user": ["root"]
  }
}

Explanation:

Critical system file has dangerous permissions
Allows any user to modify the file
Security misconfiguration or potential compromise
wazuh_rootcheck.vulnerability.type: world-writable

Alert Fields (ECS Format)

Common Fields

All rootcheck alerts include:

Field	Description	Example
`@timestamp`	When the detection occurred (ISO 8601)	`2026-01-16T10:35:57Z`
`wazuh.protocol.location`	Alert source	`rootcheck`
`agent.id`	Agent identifier	`002`
`agent.name`	Agent hostname	`ubuntu22`
`agent.version`	Wazuh agent version	`Wazuh v5.0.0`
`event.original`	Full detection message	`File '/dev/test' present...`
`event.category`	Event categories (array)	`["host", "malware"]`
`event.kind`	Event kind	`alert`
`host.os.name`	Operating system	`Ubuntu`
`host.ip`	Host IP addresses (array)	`["172.20.0.2"]`

Detection-Specific Fields

Additional fields depending on detection type:

Field	Present In	Description
`file.path`	File-related detections	Full path to suspicious file
`file.name`	File-related detections	File name only
`file.directory`	File-related detections	Directory path
`file.owner`	Permission issues	File owner
`process.pid`	Process detections	Process identifier
`destination.port`	Port detections	Port number
`network.transport`	Port detections	Network protocol (tcp/udp)
`wazuh_rootcheck.anomaly.type`	Anomaly detections	Type of anomaly detected
`wazuh_rootcheck.vulnerability.type`	Vulnerabilities	Type of vulnerability
`wazuh_rootcheck.file.permissions`	File permissions	Permission mode

Anomaly and Vulnerability Types

The wazuh_rootcheck.anomaly.type field indicates the detection type:

Type	Description	Example in This Document
`dev-file`	Suspicious file in /dev directory	Example 1
`hidden-process`	Process hidden from /proc or system tools	Example 3
`hidden-port`	Network port hidden from netstat	Example 4

The wazuh_rootcheck.vulnerability.type field indicates vulnerability types:

Type	Description	Example in This Document
`world-writable`	Files writable by all users	Example 5

Note: The examples in this document represent the main detection capabilities of the rootcheck module. Additional detection patterns may exist for other system anomalies and security issues.

Viewing Alerts

On Wazuh Manager

Real-time JSON alerts:

bash

tail -f /var/ossec/logs/alerts/alerts.json

Filter rootcheck alerts with jq:

bash

tail -f /var/ossec/logs/alerts/alerts.json | jq 'select(.wazuh.protocol.location=="rootcheck")'

Pretty print specific fields:

bash

tail -f /var/ossec/logs/alerts/alerts.json | jq 'select(.wazuh.protocol.location=="rootcheck") | {
  time: ."@timestamp",
  agent: .agent.name,
  message: .event.original,
  anomaly: .wazuh_rootcheck.anomaly.type
}'

Exclude scan start/end messages:

bash

tail -f /var/ossec/logs/alerts/alerts.json | jq 'select(.wazuh.protocol.location=="rootcheck" and (.event.original | contains("Starting") or contains("Ending") | not))'

Query Specific Alert Types

Files in /dev directory:

bash

jq 'select(.wazuh.protocol.location=="rootcheck" and .wazuh_rootcheck.anomaly.type=="dev-file")' /var/ossec/logs/alerts/alerts.json

World-writable files:

bash

jq 'select(.wazuh.protocol.location=="rootcheck" and .wazuh_rootcheck.vulnerability.type=="world-writable")' /var/ossec/logs/alerts/alerts.json

Promiscuous mode (search in message):

bash

jq 'select(.wazuh.protocol.location=="rootcheck" and (.event.original | contains("promiscuous")))' /var/ossec/logs/alerts/alerts.json

Specific agent:

bash

jq 'select(.wazuh.protocol.location=="rootcheck" and .agent.name=="ubuntu22")' /var/ossec/logs/alerts/alerts.json

On Wazuh Dashboard

Navigate to Threat Hunting or Discover module and use these filters:

All rootcheck alerts:

wazuh.protocol.location: rootcheck

Exclude scan messages:

wazuh.protocol.location: rootcheck AND NOT event.original: ("Starting rootcheck scan" OR "Ending rootcheck scan")

Specific detection types:

wazuh_rootcheck.anomaly.type: dev-file
wazuh_rootcheck.vulnerability.type: world-writable

Specific agent:

wazuh.protocol.location: rootcheck AND agent.name: ubuntu22

By event category:

wazuh.protocol.location: rootcheck AND event.category: malware

Alert Response Actions

Recommended Actions by Detection Type

Detection	Severity	Recommended Action
Suspicious /dev file	Medium	Examine file content, check file history
Promiscuous Mode	Medium	Verify legitimate use (monitoring tools), investigate if unexpected
Hidden Process	Critical	Immediately isolate system, conduct forensic analysis, check for rootkit
Hidden Port	Critical	Immediately isolate system, investigate C2 communication, analyze network traffic
World-Writable	Medium	Correct permissions, investigate how they changed

Investigation Steps

Isolate the system (if critical detection)
Collect forensic data before remediation
Cross-reference with other logs (FIM, Syscollector, command monitoring)
Verify with manual checks (ls -la, ip link, stat)
Take action based on findings

False Positives

Common False Positive Scenarios

Promiscuous Mode - "ifconfig not showing it (probably trojaned)":
- Cause: Modern Linux distributions don't include ifconfig command (replaced by ip command from iproute2). Rootcheck detects promiscuous mode correctly but can't verify with ifconfig, so it reports as suspicious.
- Verification: Run ip link show <interface> | grep PROMISC to confirm the interface is actually in promiscuous mode
- Solution: If legitimate (e.g., network monitoring), this is expected. Consider adding interface to ignore list or installing net-tools package if available.
Promiscuous Mode - Legitimate monitoring:
- Cause: Legitimate network monitoring tools (tcpdump, Wireshark, network security tools)
- Solution: Verify tool legitimacy and add exception if needed
Device Directory Files:
- Cause: Custom device drivers, special hardware, test files
- Solution: Add to ignore list if verified legitimate
World-Writable Test Files:
- Cause: Temporary test files, development environments
- Solution: Review and remove unnecessary test files, or add to ignore list

Handling False Positives

Use ignore patterns in configuration:

xml

<rootcheck>
  <ignore type="sregex">/dev/custom-device</ignore>
  <ignore type="sregex">/tmp/test_.*</ignore>
</rootcheck>

Or create custom rules to reduce severity of known false positives.

Working with JSON Alerts

Extract Specific Information

Get all rootcheck alert messages:

bash

jq -r 'select(.wazuh.protocol.location=="rootcheck") | .event.original' /var/ossec/logs/alerts/alerts.json

Count alerts by anomaly type:

bash

jq -r 'select(.wazuh.protocol.location=="rootcheck") | .wazuh_rootcheck.anomaly.type // empty' /var/ossec/logs/alerts/alerts.json | sort | uniq -c

List affected agents:

bash

jq -r 'select(.wazuh.protocol.location=="rootcheck") | .agent.name' /var/ossec/logs/alerts/alerts.json | sort -u

Export alerts to CSV:

bash

jq -r 'select(.wazuh.protocol.location=="rootcheck") | [."@timestamp", .agent.name, .event.original, .wazuh_rootcheck.anomaly.type // "N/A"] | @csv' /var/ossec/logs/alerts/alerts.json > rootcheck_alerts.csv

Get file paths from detections:

bash

jq -r 'select(.wazuh.protocol.location=="rootcheck" and .file.path?) | .file.path' /var/ossec/logs/alerts/alerts.json

Advanced Filtering

Alerts from last hour:

bash

# Get timestamp from 1 hour ago
ONE_HOUR_AGO=$(date -u -d '1 hour ago' '+%Y-%m-%dT%H:%M:%SZ')

jq --arg time "$ONE_HOUR_AGO" 'select(.wazuh.protocol.location=="rootcheck" and ."@timestamp" > $time)' /var/ossec/logs/alerts/alerts.json

Multiple conditions:

bash

# Malware category alerts from specific agent
jq 'select(.wazuh.protocol.location=="rootcheck" and .agent.name=="ubuntu22" and (.event.category | contains(["malware"])))' /var/ossec/logs/alerts/alerts.json

Group by agent and anomaly type:

bash

jq -r 'select(.wazuh.protocol.location=="rootcheck") | "\(.agent.name),\(.wazuh_rootcheck.anomaly.type // "N/A")"' /var/ossec/logs/alerts/alerts.json | sort | uniq -c

Statistical Analysis

Count alerts per agent:

bash

jq -r 'select(.wazuh.protocol.location=="rootcheck") | .agent.name' /var/ossec/logs/alerts/alerts.json | sort | uniq -c | sort -rn

Alerts timeline (by hour):

bash

jq -r 'select(.wazuh.protocol.location=="rootcheck") | ."@timestamp" | split("T")[1] | split(":")[0]' /var/ossec/logs/alerts/alerts.json | sort | uniq -c

Rootcheck Output Samples

Rootcheck Output Samples

Alert Structure

Detection Examples

1. Suspicious File in /dev Directory

2. Network Interface in Promiscuous Mode

3. Hidden Process Detection

4. Hidden Port Detection

5. World-Writable File Owned by Root

Alert Fields (ECS Format)

Common Fields

Detection-Specific Fields

Anomaly and Vulnerability Types

Viewing Alerts

On Wazuh Manager

Query Specific Alert Types

On Wazuh Dashboard

Alert Response Actions

Recommended Actions by Detection Type

Investigation Steps

False Positives

Common False Positive Scenarios

Handling False Positives

Working with JSON Alerts

Extract Specific Information

Advanced Filtering

Statistical Analysis

See Also