On Fri, Oct 15, 2010 at 6:13 PM, Jefferson, Shawn
<[email protected]> wrote:
> I don't, not a single one. Can you point me in the right direction to figure
> out why not?
>
The only thing I can think of doing is providing my configurations.
>From ossec.conf on the manager:
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN | grep -v '127.0.0.1'</command>
</localfile>
>From agent.conf:
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN | grep -v '127.0.0.1'</command>
</localfile>
In local_rules.xml:
<!--OTHER RULES 51000+-->
<rule id="510000" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat -tan |grep LISTEN</match>
<check_diff />
<description>Listened ports have changed.</description>
</rule>
