MacOS Listened ports status (netstat) changed (new port opened or closed)

[isaactyy]

Hi Communities,

i just installed wazuh agent into one of my MacOS VM. By referring to the enclosed images, i received a lot Rule.id 553 (level 7), "Listened ports status (netstat) changed (new port opened or closed)" every time turn on the machine.

1. does this event shows that Mac is constantly self running auto netstat by default and so trigger the rule.id 553 everytime my client perform something like google browsing etc? is this only happen on MacOS every time user turn on their Mac?

2. how should we analyze on the event 553 base on one of the full_log as enclosed?  how do i know which port to close for good as if unused or could we do closed ourself on the Mac endpoint?

Please help advice.

Thanks & Best Regards,

Isaac

[Julian Bustamante Narvaez]

hi,

This alert is generate by a file deleted, you can validate in ossec.conf which folder is being monitored ?

Configuring real-time monitoring:
https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html#configuring-real-time-monitoring

Rule:

https://github.com/wazuh/wazuh/blob/78bbd9f8e923c1a588b198ce2d0fe530659973dd/ruleset/rules/0015-ossec_rules.xml#L237

Regards

[isaactyy]

Hi Julian, thank you so much for your reply. I apologize for the mistake in my previous message. The correct rule ID is 533, "Listened ports status (netstat) changed (new port opened or closed)."
I have a couple of questions regarding this event particularly on MacOS endpoint and how we should proceed:
Is it normal for MacOS to constantly run auto netstat by default and trigger rule ID 533 every time a user performs an action such as browsing the web? Does this only happen when the Mac is turned on, or is it a continuous process?
How should we analyze the event log for rule ID 533, which I have enclosed for your reference? Is there a way to determine which port(s) should be closed permanently if they are not being used, or can we simply close them on the Mac endpoint ourselves?
Thank you for your time and assistance in this matter. I look forward to hearing back from you.

[Julian Bustamante Narvaez]

Hi,

I answer between the lines.

Is it normal for MacOS to constantly run auto netstat by default and trigger rule ID 533 every time a user performs an action such as browsing the web? Does this only happen when the Mac is turned on, or is it a continuous process?

yes, by default it runs every 360 seconds (6minutes).

see ossec.conf:

<localfile>

<log_format>full_command</log_format>

<command>netstat -an | grep -e "tcp" -e "udp" | sed -E 's/([[:alnum:]]*)\ *[[:digit:]]*\ *[[:digit:]]*\ *(.*)\.([0-9\*]*)\ +([0-9\.\*]+).+/\1 \2 == \3 == \4/' | sort -k 4 -g | sed 's/ == \(.*\) ==/.\1/'| uniq</command>

<alias>netstat listening ports</alias>

<frequency>360</frequency>

</localfile>

How should we analyze the event log for rule ID 533, which I have enclosed for your reference?

the rule 533 check it is if it was a change in the netstat command output (<check_diff>)

<rule id="533" level="7">

<if_sid>530</if_sid>

<match>ossec: output: 'netstat listening ports</match>

<check_diff />

<description>Listened ports status (netstat) changed (new port opened or closed).</description>

<group>pci_dss_10.2.7,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>

</rule>

https://github.com/wazuh/wazuh/blob/78bbd9f8e923c1a588b198ce2d0fe530659973dd/ruleset/rules/0015-ossec_rules.xml#L195

Is there a way to determine which port(s) should be closed permanently if they are not being used, or can we simply close them on the Mac endpoint ourselves?

you can watch the output command manually for know if was a change in any port.

Regards

[isaactyy]

Dear Julian,

Thank you so mcuh for your reply.

May i check with you, do Wazuh have a better way to detect abnormally port connection instead of checking every 6 min?

Understand that in endpoint ossec.conf below it runs every 360 seconds (6minutes) hence from all these observation security event for MacOS, that "Listened ports status (netstat) changed (new port opened or closed)” is more of like noises / false positive. For example like every 6 minutes when endpoint browse website event id:533 will be triggered.

3. By referring to the enclosed screenshot, if we analyze the eventid:533 level 7’s full_log, if we wan to close any unused port, it is based on the highlighted top portion only? And we configure at user’s Mac firewall setting to closed?

 

Please help advice.

 

Thanks & Best Regards,

Isaac

[Julian Bustamante Narvaez]

Hi,
1. If you do not want to receive the alerts, you can increase the frequency to a higher time or remove the configuration of ossec.cof

2. yes, that's right.

3. The easiest way is to see which ports are open, after 6 minutes validate again and compare and close the port that is not using manually.
Wazuh does not.
The hard way would be that you make a script that validates the ports before and after 6 minutes, then compares them, then writes in a file the ports that you want to close, monitors a file and triggers a rule, for this you should create a rule and decoder and when the rule is triggered you must configure active-response so that it executes a command that closes the port or ports that you want.

It may be possible but it will take a lot of work.

Greetings

[isaactyy]

Hi Julian,

Thank you for your email. I appreciate your suggestions and insights.  I will follow your advice and monitor the ports manually and may be ignore the event.

Thank you again for your help and support.

Best regards,
Isaac

[Julian Bustamante Narvaez]

Hi, you can close port manually like that.

sudo netstat -ap | grep :<port_number>

kill -9 <pid>

https://superuser.com/questions/127863/manually-closing-a-port-from-commandline

Regards.