Brad want to fork the ossec-docs on GitHub and add this to a cookbook section?
I think this cookbook section could help to solve problems for a lot of users that just don't fit outside of a cookbook format. Sent from my iPhone > On Feb 11, 2014, at 10:43 AM, "Brad Lhotsky" <[email protected]> wrote: > > You can use active response to verify an alert, > > local_rules.xml > > <!-- DEMOTE the netstat rule and make it STFU --> > <rule id=100000 level=1> > <match>ossec: output: 'netstat'</match> > <options>no_email_alert</options> > <description>Netstat Listening Ports Changed, verify</description> > </rule> > > <!-- Escalate if we verify --> > <rule id=100001 level=12> > <decoded_as>ossec-verify</decoded_as> > <match>^netstat</match> > <description>Netstat Verified Listening Ports Changed</description> > </rule> > > ossec.conf > > <command> > <name>ossec-ar-verify-netstat</name> > <executable>ossec-ar-verify-netstat.sh</executable> > <timeout_allowed>no</timeout_allowed> > </command> > > <active-response> > <command>ossec-ar-verify-netstat</command> > <location>local</location> > <rules_id>100000</rules_id> > </active-response> > > <!-- OSSEC ActiveResponse to Verify Alerts --> > > <decoder name="ossec-ar-verify"> > <program_name>ossec-ar-verify</program_name> > </decoder> > > > <!-- > Crontab Verify Sample: > - Aug 30 16:33:13 puppet-03 ossec-ar-verify: crontab root control:puppet > - puppet:2012-05-23T10:39:36 file:2012-08-30T14:33:13 > --> > <decoder name="ossec-ar-verify-crontab"> > <parent>ossec-ar-verify</parent> > <prematch>^crontab </prematch> > <regex offset="after_prematch">^(\S+)</regex> > <order>user</order> > </decoder> > > <decoder name="ossec-ar-verify-file"> > <parent>ossec-ar-verify</parent> > <prematch>^file </prematch> > <regex offset="after_prematch">^(\S+)</regex> > <order>action</order> > </decoder> > > <decoder name="ossec-ar-verify-netstat"> > <parent>ossec-ar-verify</parent> > <prematch>^netstat </prematch> > <regex offset="after_prematch">^(\S+)</regex> > <order>srcport</order> > </decoder> > > Then have your script do run netstat with your wrapper, compare it to the > previous run, though you’ll need to baseline it either via your config > management system or by looking at the OSSEC history in > /var/ossec/queue/diff/ though I don’t remember off-hand where those are > stored. If there’s a new port, then: > logger -t ossec-ar-verify "netstat $PORT new/missing/whatever" > > And if there are no results, just don’t syslog anything. Really easy way to > abuse ActiveResponse to work for you. > > -- > Brad Lhotsky > >> On 10 Feb 2014 at 04:49:35, scoobydooxp ([email protected]) wrote: >> >> I'd really like to run the netstat check on our FTP server. Whenever an FTP >> Data connection opens on a random high port, OSSEC alerts about netstat >> changing. Is there a way to run a custom netstat wrapper? I wrote a netstat >> wrapper that uses -p to exclude vsftpd high ports but OSSEC does not seem to >> like the command. Any tips please? >> >> Thanks in advance, >> Scooby >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
