On Thu, May 15, 2014 at 12:21 PM, Steven Stern <[email protected]> wrote: > I'm getting network change notifications a couple of times per day on > one system. It appears it's comparing the current state to some base > state where most of the services weren't started. I can't find anything > in the logs to indicate that services are being restarted during the > day, so this is a mystery to me. > > I tried restarting OSSEC after everything is rolling along, thinking > that might reset the "base state" used for comparison but that doesn't > seem to help. >
The old version should be in /var/ossec/queue somewhere. Find it and delete it. > Received From: mooch->netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort > Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed > (new port opened or closed)." > Portion of the log(s): > > ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort': > tcp 0 0 0.0.0.0:111 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:139 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:17500 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:22 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:25 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:3306 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:445 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:53991 0.0.0.0:* > LISTEN > tcp 0 0 ::1:631 :::* > LISTEN > tcp 0 0 :::111 :::* > LISTEN > tcp 0 0 :::139 :::* > LISTEN > tcp 0 0 :::22 :::* > LISTEN > tcp 0 0 :::443 :::* > LISTEN > tcp 0 0 :::445 > Previous output: > ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort': > tcp 0 0 0.0.0.0:111 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:139 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:17500 0.0.0.0:* > LISTEN > > -- > -- Steve > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
