Re: [ossec-list] Silence specific netstat port alerts

[Jeremiah Brock]

Thx Dan,

    I actually figured it out, was staring me in the face the whole time.
    In the client side ossec.conf netstat command, I added the port(s) 
to the inverse grep -v  and voila!

  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -tan |grep LISTEN |grep -v '127.0.0.1\|10001' | 
sort</command>
  </localfile>


    Hope you have an awesome week,

~Jeremy

On 1/23/2014 11:32 AM, dan (ddp) wrote:
On Thu, Jan 23, 2014 at 2:29 PM, Jeremiah Brock
<jeremiah.j.br...@gmail.com> wrote:
Hi All,

     Is there a way to silence alerts from Rule 533 netstat -tan for specific
ports?

     I have tried the following rule in local_rules.xml to silence alerts
about the Cloudmin/Webmin port which listens during status collection, but
to no avail.

   <!-- Ignore Webmin Port Listening Changes -->
   <rule id="100032" level="0">
     <if_sid>533</if_sid>
     <match>tcp        0      0 0.0.0.0:10001</match>
     <description>Cloudmin talking over 10001</description>
   </rule>

Someone recently posted that they filter responses on the sensor. I
haven't looked into any of it, so I can't help much.

     Here is the email alert :

OSSEC HIDS Notification.
2014 Jan 09 14:06:48

Received From: (ASERVER) XX.XXX.XX.XXX->netstat -tan |grep LISTEN |grep -v
127.0.0.1 | sort
Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed (new
port opened or closed)."
Portion of the log(s):

ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:10001           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:20000           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN
tcp        0      0 XX.XXX.XX.XXX:53           0.0.0.0:*

Previous output:
ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN

  --END OF NOTIFICATION


Hope you all have a great week,

~Jeremy

--

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.