Re: [ossec-list] Silence specific netstat port alerts

[dan (ddp)]

On Thu, Jan 23, 2014 at 2:29 PM, Jeremiah Brock
<jeremiah.j.br...@gmail.com> wrote:
> Hi All,
>
>     Is there a way to silence alerts from Rule 533 netstat -tan for specific
> ports?
>
>     I have tried the following rule in local_rules.xml to silence alerts
> about the Cloudmin/Webmin port which listens during status collection, but
> to no avail.
>
>   <!-- Ignore Webmin Port Listening Changes -->
>   <rule id="100032" level="0">
>     <if_sid>533</if_sid>
>     <match>tcp        0      0 0.0.0.0:10001</match>
>     <description>Cloudmin talking over 10001</description>
>   </rule>
>

Someone recently posted that they filter responses on the sensor. I
haven't looked into any of it, so I can't help much.

>
>     Here is the email alert :
>
> OSSEC HIDS Notification.
> 2014 Jan 09 14:06:48
>
> Received From: (ASERVER) XX.XXX.XX.XXX->netstat -tan |grep LISTEN |grep -v
> 127.0.0.1 | sort
> Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed (new
> port opened or closed)."
> Portion of the log(s):
>
> ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
> tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:10001           0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:20000           0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN
> tcp        0      0 XX.XXX.XX.XXX:53           0.0.0.0:*
>
> Previous output:
> ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
> tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN
>
>  --END OF NOTIFICATION
>
>
> Hope you all have a great week,
>
> ~Jeremy
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.