I am trying to track listen port changes on our Linux hosts. I
followed the instructions in Daniel's blog. I got that working,
however I was interested in fine tuning
the setup to try and limit what netstat picks up and reports. Here is
my setup.
In my agent.conf file, I have the following:
<agent_config name="host1|host2">
<localfile>
<log_format>full_command</log_format>
<command>netstat-ossec.sh</command>
</localfile>
</agent_config>
Here is the actual command that is ran. I tried using this full
command spelled out inside the XML, but for someone reason OSSEC was
not handling the parsing of the command well.
What I end up with is just the protocol, the IP address, the port, and
process name if one is associated with the listening port.
netstat -lnp | grep -E 'udp|tcp' | awk '{print $1,$4,$6,$7}'| awk
'{sub(/[: \t]+$/, "")};1'| awk '{sub(/ LISTEN/, "")};1'| awk 'BEGIN
{ FS = "[/ \t]" } ; { print $1,$2,$4 }'
I am sure someone with more AWK experience than I could come up with a
better way, but this works for me. I am open to advice.:-)
Here is the rule I created.
<rule id="140128" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat-ossec</match>
<check_diff />
<description>Listen ports have changed.</description>
</rule>
I did have a few problems with setting this up. The first being what I
mentioned above, that OSSEC did not handle well lots of options and
pipes in the full_command field.
The workaround was just to make the command a script with it's own
name. I am in the process of making the script more robust by adding
options for ignoring certain
processes. The other issue had to do with modifying the command
itself. Once it was created, pushed to the client, and processed, I
could not get OSSEC to update
the last-entry file on the server side. The only way to work around
this was to create a new rule number and delete the old.
-Reggie
