Pedro, I want to thank you again. Your advice has been most helpful. I had been wondering where the port list was located. Since I am running two machines, I set one up as the server and one as the agent. I was initially confused as to where the list was located and it turns out that it is on the server machine and the one giving me issues is the agent.
After my last reply, I went into the run level scrips and altered the startup order by moving the script from S20 to S98 which will put it after all of the server processes have started. I don't know if this was the correct way to do this or not, but it should at least give us a test case. I then rebooted the machine and so far I received one port change alert with the incorrect list of only two active ports, which would have been what was left over from the previous run. After your last reply, I read the last-entry file and it now looks correct. Let's see if that makes a difference. What's interesting is that I too would have thought that it would have updated after the last read and that this should have update the last-entry file to reflect the current port list. Perhaps there is a bug related to being a server-agent? I think your suggestion on how to test the file would tell us. If I place a fake or modified entry, e.g. change the SSH port like you did, it should update to the correct port after the command is run. On Friday, April 15, 2016 at 10:01:42 AM UTC-4, Pedro S wrote: > > Wow you have a good point, maybe OSSEC is running netstat before some > ports are open! I think OSSEC check diff only with the last output not > "perpetually" from the first one, in case you can to check the last netstat > output registered by OSSEC, cat the file: > > /var/ossec/queue/diff/your-agent-or-ossec-manager-name/533/last-entry > > > In case you want to test if the alerts are triggering, modify some port in > "last-entry" file and reboot the manager/agent, instantly you will see the > alert generated. For example I modified on last-entry file SSH port to 2222: > > ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort': > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN > tcp6 0 0 ::1:25 :::* LISTEN > tcp6 0 0 :::22 :::* LISTEN > Previous output: > ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort': > tcp 0 0 *0.0.0.0:2222 <http://0.0.0.0:2222> * > 0.0.0.0:* LISTEN > tcp6 0 0 ::1:25 :::* LISTEN > tcp6 0 0 :::22 :::* LISTEN > > > Regards, > > Pedro S. > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
