Daniel, After re-reading your post i realized that i misunderstood you at first ... Anyhow - after ten minutes of googling whether newer linux kernels address this problem of not seeing just binded ports, i came upon tool called "unhide" and "unhide-tcp" that detects these ports as well... Might inclusion of this help ossec to get rid of false positives in case where ports are just binded but not listened to... ?
I posted comment and link on http://www.ossec.net/dcid/?p=87 cheers, Jaka
