I don't, not a single one. Can you point me in the right direction to figure out why not?
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Friday, October 15, 2010 2:26 PM To: [email protected] Subject: Re: [ossec-list] RE: Checking Open Ports It seems to run on Windows XP: 2010/10/13 17:22:09 ossec-agent: INFO: Monitoring full output of command(360): netstat -an | find "LISTEN" No errors yet. Windows 2000 is ancient, so I don't have a copy to test. The command runs periodically. Looking through the logs on my manager I see it running every 12-50 minutes. And I do periodically get alerts from it. On Fri, Oct 15, 2010 at 4:24 PM, Jefferson, Shawn <[email protected]> wrote: > Some more information on the problem. > > Ok, I've turned on debugging and the command is definitely running, and > output is being written to the agent log file. However, it either doesn't > appear to be making it to the server or the server is ignoring it. > > I've turned up logging on the server too, but don't see anything in the > ossec.log file related to my agents sending the netstat data to the server. > > PS. running a command on Windows 2000 doesn't work, it gives an error in the > ossec.log and the service stops. > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Jefferson, Shawn > Sent: Friday, October 15, 2010 10:07 AM > To: [email protected] > Subject: [ossec-list] Checking Open Ports > > I've broken this out into a separate thread. I'd really like to get this > working, but I've had no luck yet. I've upgraded my manager to 2.5.1 and one > linux client and one windows client to 2.5.1 and in the logs for each agent > there is now this: > > 2010/10/14 16:24:10 ossec-agent: INFO: Monitoring full output of > command(360): netstat -an | find "LISTEN" > and > 2010/10/14 15:58:35 ossec-logcollector: INFO: Monitoring full output of > command( > 360): netstat -tan |grep LISTEN|grep -v 127.0.0.1 > > But unfortunately, I am not receiving any alerts when open ports change. > Here's the rule I have setup on the manager in local rules: > > <rule id="105000" level="7"> > <if_sid>530</if_sid> > <match>ossec: output: 'netstat</match> > <check_diff /> > <description>Listening ports have changed.</description> > </rule> > > There is also nothing in the queue/diff directory on my manager. > > How often is the command supposed to be run on an agent? ie. how long after > the open ports change should I expect an alert? > > Why is this not working? I don't even seem to get any rule 530 firing off. > Both manager and agents have been restarted. > >
