ossec check_diff and netstat
reg
followed the instructions in Daniel's blog. I got that working,
however I was interested in fine tuning
the setup to try and limit what netstat picks up and reports. Here is
my setup.
In my agent.conf file, I have the following:
<agent_config name="host1|host2">
<localfile>
<log_format>full_command</log_format>
<command>netstat-ossec.sh</command>
</localfile>
</agent_config>
Here is the actual command that is ran. I tried using this full
command spelled out inside the XML, but for someone reason OSSEC was
not handling the parsing of the command well.
What I end up with is just the protocol, the IP address, the port, and
process name if one is associated with the listening port.
netstat -lnp | grep -E 'udp|tcp' | awk '{print $1,$4,$6,$7}'| awk
'{sub(/[: \t]+$/, "")};1'| awk '{sub(/ LISTEN/, "")};1'| awk 'BEGIN
{ FS = "[/ \t]" } ; { print $1,$2,$4 }'
I am sure someone with more AWK experience than I could come up with a
better way, but this works for me. I am open to advice.:-)
Here is the rule I created.
<rule id="140128" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat-ossec</match>
<check_diff />
<description>Listen ports have changed.</description>
</rule>
I did have a few problems with setting this up. The first being what I
mentioned above, that OSSEC did not handle well lots of options and
pipes in the full_command field.
The workaround was just to make the command a script with it's own
name. I am in the process of making the script more robust by adding
options for ignoring certain
processes. The other issue had to do with modifying the command
itself. Once it was created, pushed to the client, and processed, I
could not get OSSEC to update
the last-entry file on the server side. The only way to work around
this was to create a new rule number and delete the old.
-Reggie
Jason 'XenoPhage' Frisvold
Hash: SHA1
On Sep 2, 2010, at 4:05 PM, reg wrote:
> I am trying to track listen port changes on our Linux hosts. I
> followed the instructions in Daniel's blog. I got that working,
> however I was interested in fine tuning
> the setup to try and limit what netstat picks up and reports. Here is
> my setup.
This sounds interesting.. Can you post a link to the blog entry so I can have a go at this as well?
Thanks,
- ---------------------------
Jason 'XenoPhage' Frisvold
xeno...@godshell.com
- ---------------------------
"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
iEYEARECAAYFAkyDDacACgkQ8CjzPZyTUTQ7EQCfdGox+9OyIexvZX034/IVooXK
aH4Anj3L4HETGBRVWt6PXltELLpmbg4Z
=HVSd
-----END PGP SIGNATURE-----
ddp...@gmail.com
Jason 'XenoPhage' Frisvold
Hash: SHA1
On Sep 4, 2010, at 11:48 PM, ddp...@gmail.com wrote:
> I don't have the link handy, but you can search for "command" on ossec.net to find it. You'd basically be looking for the full_command option.
Ah, excellent. I wasn't sure what blog was being referred in the original post.. Found the post, though..
http://www.ossec.net/dcid/?p=198
Now to get it running.. :)
- ---------------------------
Jason 'XenoPhage' Frisvold
xeno...@godshell.com
- ---------------------------
"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
iEYEARECAAYFAkyDFNUACgkQ8CjzPZyTUTQAsQCfcmp4fIaBqotqPWjV10H0sa2C
o3kAoIjp8fYvtF4ufmKwXO6058DxV8mS
=uuks
-----END PGP SIGNATURE-----