On Thu, Aug 15, 2013 at 1:36 PM, Blake Johnson <[email protected]> wrote: > I'm finding that built in rule 533 is too broad for my use case as I have > several commands that begin with netstat -tan that I would like to alert on > and are configured in agent ossec.conf files. >
For your custom netstat commands, use an alias to label it and match that alias instead. Did you happen to see an error related to these issues? Do you happen to know what version of OSSEC you're uring? > I've attempted to address this with a rule overwrite that includes the full > out of the box netstat command that rule 533 is designed to alert on: > > <rule id="533" level="7" overwrite="yes"> > <if_sid>530</if_sid> > <match>ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | > sort'</match> > <check_diff /> > <description>Listened ports status (netstat) changed (new port opened or > closed).</description> > </rule> > > If I include this rule my several ossec processes die shortly after launch > because of connection refused errors to certain queue files. If I comment > out this rule OSSEC runs as expected. > > Are there syntax issues in my overwrite rule I should be aware of? > > Thanks > > Blake > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
