[ossec-list] Silence known port changes in netstat alerts

Tue, 14 Jan 2014 12:23:22 -0800 

Hi All,

    The following rule in local_rules.xml does not appear to be working on 
my ossec server.  I am receiving constant alerts and it is getting old : ) .

  <!-- Ignore Webmin Port Listening Changes -->
  <rule id="100032" level="0">
    <if_sid>533</if_sid>
    <match>
    tcp        0      0 0.0.0.0:10000|
    tcp        0      0 0.0.0.0:10002|
    tcp        0      0 0.0.0.0:10003|
    tcp        0      0 0.0.0.0:10004|
    tcp        0      0 0.0.0.0:10005|
    tcp        0      0 0.0.0.0:10006|
    tcp        0      0 0.0.0.0:10007|
    tcp        0      0 0.0.0.0:10008|
    tcp        0      0 0.0.0.0:10009|
    tcp        0      0 0.0.0.0:10010
    </match>
    <description>Cloudmin talking over 10001-10010.</description>
  </rule>


*    Here is the email alert :  *

OSSEC HIDS Notification.
2014 Jan 09 14:06:48

Received From: (ASERVER) XX.XXX.XX.XXX->netstat -tan |grep LISTEN |grep -v 
127.0.0.1 | sort
Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed (new port 
opened or closed)."
Portion of the log(s):

ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:10001           0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:20000           0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN     
tcp        0      0 XX.XXX.XX.XXX:53           0.0.0.0:*             
Previous output:
ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN   



 --END OF NOTIFICATION



As you can see the tcp port 10001 was temporarily listening during a 
Cloudmin/Virtualmin status request to the server.

What am I doing wrong to ignore this alert? I have restarted the ossec 
server after creating the rule (service ossec restart).

Many Thanks!

~Jeremy


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to