Hi,
My Wazuh SIEM detected a process without a proc entry and said it was a possible rootkit. The only things new I installed was Wazuh and Suricata. Does Suricata use a self-defense measure to hide itself from Linux ‘ps’ command ?
No, it does not do anything of the sort.
Confusingly, we have security.limit-noproc option, but it is described as “prevent process creation by Suricata”. This is a different thing, right?