Silence specific netstat port alerts
612 views
Skip to first unread message
Jeremiah Brock
Jan 23, 2014, 2:29:21 PM1/23/14
to ossec...@googlegroups.com
Hi All,
Is there a way to silence alerts from Rule 533 netstat -tan for specific ports?
I have tried the following rule in local_rules.xml to silence alerts about the Cloudmin/Webmin port which listens during status collection, but to no avail.
<!-- Ignore Webmin Port Listening Changes -->
<rule id="100032" level="0">
<if_sid>533</if_sid>
<match>tcp 0 0 0.0.0.0:10001</match>
<description>Cloudmin talking over 10001</description>
</rule>
Here is the email alert :
OSSEC HIDS Notification.
2014 Jan 09 14:06:48
Received From: (ASERVER) XX.XXX.XX.XXX->netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort
Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed (new port opened or closed)."
Portion of the log(s):
ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:10001 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN
tcp 0 0 XX.XXX.XX.XXX:53 0.0.0.0:*
Previous output:
ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
--END OF NOTIFICATION
Hope you all have a great week,
~Jeremy
Is there a way to silence alerts from Rule 533 netstat -tan for specific ports?
I have tried the following rule in local_rules.xml to silence alerts about the Cloudmin/Webmin port which listens during status collection, but to no avail.
<!-- Ignore Webmin Port Listening Changes -->
<rule id="100032" level="0">
<if_sid>533</if_sid>
<match>tcp 0 0 0.0.0.0:10001</match>
<description>Cloudmin talking over 10001</description>
</rule>
Here is the email alert :
OSSEC HIDS Notification.
2014 Jan 09 14:06:48
Received From: (ASERVER) XX.XXX.XX.XXX->netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort
Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed (new port opened or closed)."
Portion of the log(s):
ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:10001 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN
tcp 0 0 XX.XXX.XX.XXX:53 0.0.0.0:*
Previous output:
ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
--END OF NOTIFICATION
Hope you all have a great week,
~Jeremy
dan (ddp)
Jan 23, 2014, 2:32:59 PM1/23/14
to ossec...@googlegroups.com
On Thu, Jan 23, 2014 at 2:29 PM, Jeremiah Brock
<jeremiah...@gmail.com> wrote:
> Hi All,
>
> Is there a way to silence alerts from Rule 533 netstat -tan for specific
> ports?
>
> I have tried the following rule in local_rules.xml to silence alerts
> about the Cloudmin/Webmin port which listens during status collection, but
> to no avail.
>
> <!-- Ignore Webmin Port Listening Changes -->
> <rule id="100032" level="0">
> <if_sid>533</if_sid>
> <match>tcp 0 0 0.0.0.0:10001</match>
> <description>Cloudmin talking over 10001</description>
> </rule>
>
Someone recently posted that they filter responses on the sensor. I
<jeremiah...@gmail.com> wrote:
> Hi All,
>
> Is there a way to silence alerts from Rule 533 netstat -tan for specific
> ports?
>
> I have tried the following rule in local_rules.xml to silence alerts
> about the Cloudmin/Webmin port which listens during status collection, but
> to no avail.
>
> <!-- Ignore Webmin Port Listening Changes -->
> <rule id="100032" level="0">
> <if_sid>533</if_sid>
> <match>tcp 0 0 0.0.0.0:10001</match>
> <description>Cloudmin talking over 10001</description>
> </rule>
>
haven't looked into any of it, so I can't help much.
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
Jeremiah Brock
Jan 23, 2014, 6:05:50 PM1/23/14
to ossec...@googlegroups.com
Thx Dan,
I actually figured it out, was staring me in the face the whole time.
In the client side ossec.conf netstat command, I added the port(s)
to the inverse grep -v and voila!
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN |grep -v '127.0.0.1\|10001' |
sort</command>
</localfile>
Hope you have an awesome week,
~Jeremy
I actually figured it out, was staring me in the face the whole time.
In the client side ossec.conf netstat command, I added the port(s)
to the inverse grep -v and voila!
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN |grep -v '127.0.0.1\|10001' |
sort</command>
</localfile>
Hope you have an awesome week,
~Jeremy
scoobydooxp
Feb 9, 2014, 10:37:09 PM2/9/14
to ossec...@googlegroups.com
Is there a way to run a custom netstat command? I'd really like to run the netstat check on our FTP server but every time an FTP Data connection is opened it uses a high port and OSSEC alerts. I wrote a netstat wrapper that uses the -p command to exclude vsftpd but cannot get it to run.
Thanks in advance!
Scooby
Thanks in advance!
Scooby
Reply all
Reply to author
Forward
0 new messages