I'm finding that built in rule 533 is too broad for my use case as I have
several commands that begin with netstat -tan that I would like to alert on
and are configured in agent ossec.conf files.
I've attempted to address this with a rule overwrite that includes the full
out of the box netstat command that rule 533 is designed to alert on:
<rule id="533" level="7" overwrite="yes">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 |
sort'</match>
<check_diff />
<description>Listened ports status (netstat) changed (new port opened
or closed).</description>
</rule>
If I include this rule my several ossec processes die shortly after launch
because of connection refused errors to certain queue files. If I comment
out this rule OSSEC runs as expected.
Are there syntax issues in my overwrite rule I should be aware of?
Thanks
Blake
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
