Hi! I'm making progress. I believe there was a problem with my local_rules.xml file. I had a rule for 530 to overwrite and another for the output of netstat at the bottom of my local rules file, and these for some reason were not getting processed correctly. I've made some changes there and I can see files in my diff directory now!!!!
and, success! I am now receiving alerts for port changes. Thanks for your help in narrowing this down for me. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Monday, October 18, 2010 11:28 AM To: [email protected] Subject: Re: [ossec-list] Checking Open Ports On Mon, Oct 18, 2010 at 2:11 PM, Jefferson, Shawn <[email protected]> wrote: > Hi, > > Ok! Getting closer to figuring this out. The full_command data is getting > from the client to the server (and being logged in the archives.log file > after using the global.logall option.) It looks like the message is NOT > being decoded as Rule 530 though. > > This is from my archives.log: > 2010 Oct 18 09:14:29 (SERVER01) 172.1.3.1->netstat -an | find "LISTEN" ossec: > output: 'netstat -an | find "LISTEN"': > TCP 0.0.0.0:135 0.0.0.0:0 LISTENING > TCP 0.0.0.0:443 0.0.0.0:0 LISTENING > TCP 0.0.0.0:445 0.0.0.0:0 LISTENING > TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING > TCP 0.0.0.0:1164 0.0.0.0:0 LISTENING > TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING > > Pasting the first line into the logtest application gives me this output: > > 2010 Oct 18 09:14:29 (SERVER01) 172.1.3.1->netstat -an | find "LISTEN" ossec: > output: 'netstat -an | find "LISTEN"': > > **Phase 1: Completed pre-decoding. > full event: '2010 Oct 18 09:14:29 (SERVER01) 172.1.3.1->netstat -an | > find "LISTEN" ossec: output: 'netstat -an | find "LISTEN"':' > hostname: 'ossecsvr' > program_name: '(null)' > log: '2010 Oct 18 09:14:29 (SERVER01) 172.1.3.1->netstat -an | find > "LISTEN" ossec: output: 'netstat -an | find "LISTEN"':' > > **Phase 2: Completed decoding. > No decoder matched. > > And the rule 530 that is in the ossec_rules.xml file: > > <!-- Process monitoring rules --> > <rule id="530" level="0"> > <if_sid>500</if_sid> > <match>^ossec: output: </match> > <description>OSSEC process monitoring rules.</description> > <group>process_monitor,</group> > </rule> > > I can't do it myself right now, but try pasting everything after the '->' into ossec-logtest: netstat -an | find "LISTEN" ossec: output: 'netstat -an | find "LISTEN"':
