Monitor services and ports running on agents
951 views
Skip to first unread message
ektadhu...@gmail.com
Mar 3, 2021, 5:42:47 AM3/3/21
to Wazuh mailing list
Hi Team,
How we can monitor services running on the agents and the open ports.
Regards,
Ekta
victor....@wazuh.com
Mar 3, 2021, 11:42:48 AM3/3/21
to Wazuh mailing list
Hello Ekta,
When Syscollector is enabled, you can generate alerts using it https://documentation.wazuh.com/current/user-manual/capabilities/syscollector.html#how-it-works. With syscollector is it possible to monitor open ports and processes. Check out this example rule:
<rule id="100001" level="5">
<if_sid>221</if_sid>
<decoded_as>syscollector</decoded_as>
<field name="netinfo.iface.name">eth0</field>
<description>eth0 interface enabled. IP: $(netinfo.iface.ipv4.address)</description>
</rule>
This rule will be triggered when the interface eth0 of an agent is enabled and will show what IPv4 has that interface.
In order to trigger alerts with syscollector rules, you should increase the alert level o create child rules that depend on it.
If Syscollector is not enough specific for your use case, you can monitor the services and ports of your agents using command monitoring. You can configure it using centralized configuration (https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html) or editing directly your agent configuration (https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/index.html#reference-ossec-conf).
Use this <localfile> block in your agent configuration:
<localfile>
<log_format>full_command</log_format>
<command>ps -auxw</command>
<frequency>frequency-in-seconds</frequency>
</localfile>
This will perform ps -auxw command in your agent every frequency-in-seconds. In order to create an alert in your Wazuh manager use these rules:
<rule id="100010" level="6">
<if_sid>530</if_sid>
<match>^ossec: output: 'ps -auxw'</match>
<description>Important process not running </description>
<group>process_monitor,</group>
</rule>
<rule id="100011" level="0">
<if_sid>100010</if_sid>
<match>process-name</match>
<description>Processes running as expected</description>
<group>process_monitor,</group>
</rule>
The first rule (100010) will generate an alert (“Important process not running”), unless it is overridden by its child rule (100011) that matches process-name in the command output.
You may add as many child rules as you needed to monitor every important process you want.
In the case of windows agents, you need to replace ps -auxw with tasklist
Use this <localfile> block to monitor for changes in listening to your agent's sockets.
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
In this case, the Linux netstat command is used along with the check_diff option to monitor for changes in listening sockets.
Wazuh already has a rule to monitor this:
<rule id="533" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat listening ports</match>
<check_diff />
<description>Listened ports status (netstat) changed (new port opened or closed).</description>
<group>pci_dss_10.2.7,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,</group>
</rule>
If the output changes, the system will generate an alert indicating a network listener has disappeared or a new one has appeared.
For more information check out this documentation page https://documentation.wazuh.com/current/user-manual/capabilities/command-monitoring/command-configuration.html .
When Syscollector is enabled, you can generate alerts using it https://documentation.wazuh.com/current/user-manual/capabilities/syscollector.html#how-it-works. With syscollector is it possible to monitor open ports and processes. Check out this example rule:
<rule id="100001" level="5">
<if_sid>221</if_sid>
<decoded_as>syscollector</decoded_as>
<field name="netinfo.iface.name">eth0</field>
<description>eth0 interface enabled. IP: $(netinfo.iface.ipv4.address)</description>
</rule>
This rule will be triggered when the interface eth0 of an agent is enabled and will show what IPv4 has that interface.
In order to trigger alerts with syscollector rules, you should increase the alert level o create child rules that depend on it.
If Syscollector is not enough specific for your use case, you can monitor the services and ports of your agents using command monitoring. You can configure it using centralized configuration (https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html) or editing directly your agent configuration (https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/index.html#reference-ossec-conf).
- Monitoring services:
Use this <localfile> block in your agent configuration:
<localfile>
<log_format>full_command</log_format>
<command>ps -auxw</command>
<frequency>frequency-in-seconds</frequency>
</localfile>
This will perform ps -auxw command in your agent every frequency-in-seconds. In order to create an alert in your Wazuh manager use these rules:
<rule id="100010" level="6">
<if_sid>530</if_sid>
<match>^ossec: output: 'ps -auxw'</match>
<description>Important process not running </description>
<group>process_monitor,</group>
</rule>
<rule id="100011" level="0">
<if_sid>100010</if_sid>
<match>process-name</match>
<description>Processes running as expected</description>
<group>process_monitor,</group>
</rule>
The first rule (100010) will generate an alert (“Important process not running”), unless it is overridden by its child rule (100011) that matches process-name in the command output.
You may add as many child rules as you needed to monitor every important process you want.
In the case of windows agents, you need to replace ps -auxw with tasklist
- Monitoring open ports
Use this <localfile> block to monitor for changes in listening to your agent's sockets.
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
In this case, the Linux netstat command is used along with the check_diff option to monitor for changes in listening sockets.
Wazuh already has a rule to monitor this:
<rule id="533" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat listening ports</match>
<check_diff />
<description>Listened ports status (netstat) changed (new port opened or closed).</description>
<group>pci_dss_10.2.7,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,</group>
</rule>
If the output changes, the system will generate an alert indicating a network listener has disappeared or a new one has appeared.
For more information check out this documentation page https://documentation.wazuh.com/current/user-manual/capabilities/command-monitoring/command-configuration.html .
ektadhu...@gmail.com
Mar 4, 2021, 6:16:54 AM3/4/21
to Wazuh mailing list
Hi Vitor,
What is ps -auxw command?
Regards,
Ekta
victor....@wazuh.com
Mar 4, 2021, 10:26:06 AM3/4/21
to Wazuh mailing list
ps is a Unix system command that displays the currently running processes, where -auxw means:
a: Show all user's process
u: Display the owner of the process
x: Show processes not attached to a terminal
w: Wide output
a: Show all user's process
u: Display the owner of the process
x: Show processes not attached to a terminal
w: Wide output
Ghulam Muhy ud Din
Mar 21, 2024, 6:00:24 PM3/21/24
to Wazuh | Mailing List
Hi,
Can you help in achieving open ports detection on windows ? I see there is no such rule on wazuh for windows. I might be wrong.
Hatem
Mar 25, 2024, 6:16:07 AM3/25/24
to Ghulam Muhy ud Din, Wazuh | Mailing List
Any help?
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b4b153fb-08c9-4455-b9eb-949e84dc19ccn%40googlegroups.com.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages