[Assp-user] netstat ports keep changing -- anyway to keep them static

Thu, 25 Jun 2020 21:11:40 -0700 

Hi.

I am using Wazuh (ossec fork) as an HIDS on a machine running ASSP.
It has a rule where it will monitor open ports.  A couple of the assp udp ports change.  The output looks like this: 

Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed (new port 
opened or closed)."
Portion of the log(s):

ossec: output: 'netstat listening ports':
tcp 0.0.0.0:22 0.0.0.0:* 863/sshd
tcp6 :::22 :::* 863/sshd
tcp 0.0.0.0:25 0.0.0.0:* 2305/perl
udp 0.0.0.0:123 0.0.0.0:* 1658/ntpd
udp 127.0.0.1:123 0.0.0.0:* 1658/ntpd
udp 192.168.90.10:123 0.0.0.0:* 1658/ntpd
udp6 ::1:123 :::* 1658/ntpd
udp6 :::123 :::* 1658/ntpd
tcp 0.0.0.0:125 0.0.0.0:* 1621/master
tcp 0.0.0.0:465 0.0.0.0:* 2305/perl
tcp 0.0.0.0:2525 0.0.0.0:* 2305/perl
tcp 127.0.0.1:3306 0.0.0.0:* 1258/mysqld
udp 0.0.0.0:42540 0.0.0.0:* 2305/perl
*udp 0.0.0.0:47142 0.0.0.0:* 2305/perl*
*udp 0.0.0.0:49514 0.0.0.0:* 2305/perl*
udp 0.0.0.0:49534 0.0.0.0:* 2305/perl
udp 0.0.0.0:54808 0.0.0.0:* 2305/perl
tcp 0.0.0.0:55553 0.0.0.0:* 2305/perl


another time it looks like:


Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed (new port 
opened or closed)."
Portion of the log(s):

ossec: output: 'netstat listening ports':
tcp 0.0.0.0:22 0.0.0.0:* 863/sshd
tcp6 :::22 :::* 863/sshd
tcp 0.0.0.0:25 0.0.0.0:* 2305/perl
udp 0.0.0.0:123 0.0.0.0:* 1658/ntpd
udp 127.0.0.1:123 0.0.0.0:* 1658/ntpd
udp 192.168.90.10:123 0.0.0.0:* 1658/ntpd
udp6 ::1:123 :::* 1658/ntpd
udp6 :::123 :::* 1658/ntpd
tcp 0.0.0.0:125 0.0.0.0:* 1621/master
tcp 0.0.0.0:465 0.0.0.0:* 2305/perl
tcp 0.0.0.0:2525 0.0.0.0:* 2305/perl
tcp 127.0.0.1:3306 0.0.0.0:* 1258/mysqld
*udp 0.0.0.0:42139 0.0.0.0:* 2305/perl*
udp 0.0.0.0:42540 0.0.0.0:* 2305/perl
udp 0.0.0.0:49534 0.0.0.0:* 2305/perl
*udp 0.0.0.0:52302 0.0.0.0:* 2305/perl*
udp 0.0.0.0:54808 0.0.0.0:* 2305/perl
tcp 0.0.0.0:55553 0.0.0.0:* 2305/perl
tcp 0.0.0.0:55555 0.0.0.0:* 2305/perl



Is there anyway to keep a static list of UDP ports so it doesn't trigger a 
wazuh alert?

thanks,
Geoff



_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user






















					Reply via email to