I'm getting network change notifications a couple of times per day on
one system. It appears it's comparing the current state to some base
state where most of the services weren't started. I can't find anything
in the logs to indicate that services are being restarted during the
day, so this is a mystery to me.
I tried restarting OSSEC after everything is rolling along, thinking
that might reset the "base state" used for comparison but that doesn't
seem to help.
Received From: mooch->netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort
Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed
(new port opened or closed)."
Portion of the log(s):
ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
tcp 0 0 0.0.0.0:111 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:139 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:17500 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:3306 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:445 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:53991 0.0.0.0:*
LISTEN
tcp 0 0 ::1:631 :::*
LISTEN
tcp 0 0 :::111 :::*
LISTEN
tcp 0 0 :::139 :::*
LISTEN
tcp 0 0 :::22 :::*
LISTEN
tcp 0 0 :::443 :::*
LISTEN
tcp 0 0 :::445
Previous output:
ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
tcp 0 0 0.0.0.0:111 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:139 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:17500 0.0.0.0:*
LISTEN
--
-- Steve
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
