Hi Noway2,
I just test it and it is working for me, could you paste your <localfile>
section? You can open ossec.conf at OSSEC Manager search for "netstat" and
paste that section here.
The rule which trigger this alerts is:
<rule id="533" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat -tan</match>
*<check_diff />*
<description>Listened ports status (netstat) changed (new port opened
or closed).</description>
<group>pci_dss_10.2.7,pci_dss_10.6.1,</group>
</rule>
Regards,
Pedro S.
On Thursday, April 14, 2016 at 10:38:59 PM UTC+2, Noway2 wrote:
>
> I have been using Ossec on a couple of my servers for several years now.
> I recently updated one of them to Ubuntu 14.04 server edition and found
> that the agent running on that machine was no longer communicating with the
> server. I took this as an opportunity to upgrade both machines from
> version 2.6 to 2.8 and I am running into a new issue that I am not sure how
> to handle.
>
> I am getting repeated alerts about the netstat command detecting new ports
> open. Specifically I am getting the report shown below:
>
>
>
>> ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
>> tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
>>
>> tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
>>
>> tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
>>
>> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
>>
>> tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
>>
>> tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN
>>
>> tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN
>>
>> tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN
>>
>> tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN
>>
>> tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN
>>
>> tcp 0 0 172.16.10.3:53 0.0.0.0:* LISTEN
>>
>> tcp 0 0 192.168.0.49:53 0.0.0.0:* LISTEN
>>
>> tcp 0 0 192.168.0.49:647 0.0.0.0:* LISTEN
>>
>> tcp6 0 0 :::139 :::* LISTEN
>>
>> tcp6 0 0 ::1:783 :::*
>> Previous output:
>> ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
>> tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
>>
>> tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
>>
>>
> According to my interpretation of this output, it is trying to tell me
> that when the initial scan was run the only ports with applications
> listening on them were 110 and 139. I know however this is incorrect
> because the system was up, active, and had all of these other processes
> running, nor are they routinely terminated and some of them were even
> actively connected to at the time, such as port 22 for SSH.
>
> This same message will repeat periodically, claiming that the same two
> ports were open in the previous reading and all the ports are currently
> open. It never seems to update or correct itself.
>
> I tried stopping ossec, going into the /var/ossec/queue directory and
> deleting everything (there were only two files) and restarting it. This
> seemed to silence this error for several hours and then it started again.
>
> I like the idea of the feature and would like to correct it rather than
> disable it (if that is even possible), but the repeated erroneous alerts
> are seriously annoying.
>
> Does anyone have a suggestion as to why this feature does not appear to be
> working correctly and how to fix it?
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
