Which UDP ports were blocked by Windows Firewall?
On Saturday, December 22, 2012 11:51:32 AM UTC-8, Beau wrote: > > Hi, I hope this is a simple "yes that's how it's supposed to be" answer. > > I have had OSSEC 2.6 running on about 9 PCs for over a year, that > auto-reboot every night. Every time I reboot, and services start, i get > notice of services that were blocked by windows firewall. > > Recently, I noticed that on a few days this year, windows firewall > blocked various UDP ports that "P:\Program > Files\ossec-agent\ossec-agent.exe" was trying to listen to, based on the > windows security logs, as it does for any service that starts up that > listening but not allowed to in the firewall rules, and logs that it was > blocked in the windows firewall rules. > > > It happened 39 times in May on 3 different days, (not on reboot), 1 in > august (upon reboot) and 1 event on Dec 6 (upon reboot) and 20 events on > the night of the 7th, (not upon reboot, but I think the OSSEC server went > down around that time) > > This was on about 4 out of 9 machines, all nearly identical. > > The first day was in may 1, and it seemed to have multiple events all on > one PC. The second was on the 3rd on two more PC, 1 event each. Then > finally may 28th, on all of the PCs that I've seen this on. > > I give all this detail, just to illustrate how sort of random it seems. > > My main question is, should ossec-agent.exe cause this event to ever > occur? If so, why so sporadically? > > If not, well, any other thoughts? >
