Listened ports status (netstat) changed (new port opened or closed)// Alert level 7

[YamamaCement]

Hello!

Am receiving this email alert for more than 200 times. Can you please inform me how to fix it, and why am getting it!

Below is a sample of the email alert:

[Jesús Sánchez de Lechina Tejada]

Hi!

All the alerts that Wazuh generates can be checked on the wazuh-ruleset repository. Besides, to understand how rules work you can take a look at the rules XML syntax. Looking for this specific rule we can find the following information:

The alert belongs to a group of process monitoring rules. More specifically analyzes the output of the netstat command to check if ports are being opened or closed (it monitors if the output of the netstat command has changed).

So this means that any processes on your host is creating or deleting some ports. If this is an unexpected behavior it is an alert that should be investigated. If otherwise this port modifications are expected and these alerts are considered noisy, you could lower the level of this specific alert below the threshold level to trip alarms (usually 3). To do so you can follow this example in our documentation.

I hope this helps you out. Let me know if you have any more questions about this topic.

Regards,

Jesús