Hi All,
Is there a way to silence alerts from Rule 533 netstat -tan for
specific ports?
I have tried the following rule in local_rules.xml to silence
alerts about the Cloudmin/Webmin port which listens during status
collection, but to no avail.
<!-- Ignore Webmin Port Listening Changes -->
<rule id="100032" level="0">
<if_sid>533</if_sid>
<match>tcp 0 0 0.0.0.0:10001</match>
<description>Cloudmin talking over 10001</description>
</rule>
* Here is the email alert :
*OSSEC HIDS Notification.
2014 Jan 09 14:06:48
Received From: (ASERVER) XX.XXX.XX.XXX->netstat -tan |grep LISTEN |grep
-v 127.0.0.1 | sort
Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed
(new port opened or closed)."
Portion of the log(s):
ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN
*tcp 0 0 0.0.0.0:10001 0.0.0.0:* LISTEN *
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN
tcp 0 0 XX.XXX.XX.XXX:53 0.0.0.0:*
Previous output:
ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
--END OF NOTIFICATION
*
*Hope you all have a great week,
~Jeremy
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
