These are static DNS-UDP-Resolver sockets. The lifetime of such a socket (one in each thread) is one hour (3600 s) in idle state (unused) per default. The lifetime can be set by changing the hidden variable $DNSresolverLifeTime (lifetime in seconds).
'DNSReuseSocket' has to be enabled. If a DNS-query fails for any reason $DNSresolverLifeTime and 'DNSReuseSocket' are ignored, the socket is closed and a new socket is created. >Is there anyway to keep a static list of UDP ports so it doesn't trigger a wazuh alert? The answer is: NO. Even you set $DNSresolverLifeTime to a very high value - it may happen, that UDP-socket are changing unexpected. Thomas Von: "Geoff Nordli" <geo...@gnaa.net> An: assp-user@lists.sourceforge.net Datum: 26.06.2020 06:11 Betreff: [Assp-user] netstat ports keep changing -- anyway to keep them static Hi. I am using Wazuh (ossec fork) as an HIDS on a machine running ASSP. It has a rule where it will monitor open ports. A couple of the assp udp ports change. The output looks like this: Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed (new port opened or closed)." Portion of the log(s): ossec: output: 'netstat listening ports': tcp 0.0.0.0:22 0.0.0.0:* 863/sshd tcp6 :::22 :::* 863/sshd tcp 0.0.0.0:25 0.0.0.0:* 2305/perl udp 0.0.0.0:123 0.0.0.0:* 1658/ntpd udp 127.0.0.1:123 0.0.0.0:* 1658/ntpd udp 192.168.90.10:123 0.0.0.0:* 1658/ntpd udp6 ::1:123 :::* 1658/ntpd udp6 :::123 :::* 1658/ntpd tcp 0.0.0.0:125 0.0.0.0:* 1621/master tcp 0.0.0.0:465 0.0.0.0:* 2305/perl tcp 0.0.0.0:2525 0.0.0.0:* 2305/perl tcp 127.0.0.1:3306 0.0.0.0:* 1258/mysqld udp 0.0.0.0:42540 0.0.0.0:* 2305/perl udp 0.0.0.0:47142 0.0.0.0:* 2305/perl udp 0.0.0.0:49514 0.0.0.0:* 2305/perl udp 0.0.0.0:49534 0.0.0.0:* 2305/perl udp 0.0.0.0:54808 0.0.0.0:* 2305/perl tcp 0.0.0.0:55553 0.0.0.0:* 2305/perl another time it looks like: Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed (new port opened or closed)." Portion of the log(s): ossec: output: 'netstat listening ports': tcp 0.0.0.0:22 0.0.0.0:* 863/sshd tcp6 :::22 :::* 863/sshd tcp 0.0.0.0:25 0.0.0.0:* 2305/perl udp 0.0.0.0:123 0.0.0.0:* 1658/ntpd udp 127.0.0.1:123 0.0.0.0:* 1658/ntpd udp 192.168.90.10:123 0.0.0.0:* 1658/ntpd udp6 ::1:123 :::* 1658/ntpd udp6 :::123 :::* 1658/ntpd tcp 0.0.0.0:125 0.0.0.0:* 1621/master tcp 0.0.0.0:465 0.0.0.0:* 2305/perl tcp 0.0.0.0:2525 0.0.0.0:* 2305/perl tcp 127.0.0.1:3306 0.0.0.0:* 1258/mysqld udp 0.0.0.0:42139 0.0.0.0:* 2305/perl udp 0.0.0.0:42540 0.0.0.0:* 2305/perl udp 0.0.0.0:49534 0.0.0.0:* 2305/perl udp 0.0.0.0:52302 0.0.0.0:* 2305/perl udp 0.0.0.0:54808 0.0.0.0:* 2305/perl tcp 0.0.0.0:55553 0.0.0.0:* 2305/perl tcp 0.0.0.0:55555 0.0.0.0:* 2305/perl Is there anyway to keep a static list of UDP ports so it doesn't trigger a wazuh alert? thanks, Geoff _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *******************************************************
_______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
