Hi,
I have OSSEC running on a number of machines and on some of them I'm getting
frequent rule 533 alerts (listen ports changed). However, the notifications
don't make sense.
I've pasted the alerts.log output to http://pastebin.com/1Yn4xKS0
Basically: I don't see any difference. I copy pasted both the before & after
to /tmp/1 and /tmp/2 and then diff'ed... no difference. Identical.
The output also seems truncated. Both in this log message (notice the lack of
LISTEN on the last line), and even more truncated in the email notification.
I checked the source, more specifically ./src/analysisd/dodiff.c:
char flastcontent[OS_SIZE_8192 +1];
and:
./src/headers/defs.h:#define OS_SIZE_8192 8192
But maybe I'm looking at the wrong place.
The output was 1163 bytes. Doesn't seem like a logical truncate number (like
512, 1024, 2048..).
Any ideas? Is there some other buffer limit I should tweak?
Shouldn't it use a better default since a lot of people would be hit with this
limitation, especially for this 533 rule? That is, if the cause is really such
a buffer limitation.
I saw on the mailing list several messages about this but no solution.
Rule 533 is a rather useful alert so I really don't want to suppress it.
Regards,
Bram
PS: I had similar change warnings with the default rule "netstat -tan |grep
LISTEN |grep -v 127.0.0.1 | sort". I just added the "-p" and the sed PID
replace since I want to see program names (yeah, even though they can be spoofed)
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
