netstat listening ports adjustment
138 views
Skip to first unread message
Yossif Helmy
May 11, 2024, 12:48:24 AM5/11/24
to Wazuh | Mailing List
Hello and good day.
The rule "netstat listening ports" with the rule id 533 has been flooding the alerts with logs due to a certain two services being constantly closing an opening. Let's say these two services are service1 and service2. I tried to remove them from the command log to reduce the hassle, however it didn't work. The command I used:
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed '/service1\|service2/d' | sed 1,2d</command>
Can you tell on why it doesn't work?
John E
May 13, 2024, 4:09:20 AM5/13/24
to Wazuh | Mailing List
Hello Yossif,
Am currently investigating this, will revert shortly.
John E
May 13, 2024, 9:21:40 AM5/13/24
to Wazuh | Mailing List
Hello Yossif,
After carefully evaluating your requirement, here is the recommended way to tackle it.
Create the file if you have not already done so: touch /etc/wazuh/rules/local_rules.xml
<rule id="533" level="0">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat listening ports</match>
<check_diff />
<field name="serviceName">yourservicename</field>
<description>Listened ports status (netstat) changed (new port opened or closed) SILENCED.</description>
<group>pci_dss_10.2.7,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<if_sid>530</if_sid>
<match>ossec: output: 'netstat listening ports</match>
<check_diff />
<field name="serviceName">yourservicename</field>
<description>Listened ports status (netstat) changed (new port opened or closed) SILENCED.</description>
<group>pci_dss_10.2.7,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
you will notice that the rule level is reduced to 0 which will make this rule not to generate an alert.
Regards
Yossif Helmy
May 13, 2024, 11:12:46 AM5/13/24
to Wazuh | Mailing List
Hello John,
Good day. I apologize if my message wasn't clear. My problem was with service1 amd service2 that I want to completely delete from the raw log by using sed command. Kindly check the first message and you will see the method I used to solve the problem. That method worked on a test machine of mine, however it does not work on the production environment. If you have any inquiries about my issue feel free to contact me. Thank you for your attention.
BR,
John E
May 15, 2024, 6:01:41 AM5/15/24
to Wazuh | Mailing List
Hello Yossif,
netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed '/cupsd\|python3/d' | sed 1,2d
I'm sorry for not getting back to you sooner.
I have tested the command and it works fine for selected services.
The above code correctly strips out cupsd and python3 services.
The reason why it is not working in your production environment could be that the services are not appearing when the netstat command is run, you can troubleshoot that by running netstat -tulpn first and see the listed services then insert the names in the code just like the above and see if it gets stripped.
Regards
Yossif Helmy
May 15, 2024, 1:31:38 PM5/15/24
to Wazuh | Mailing List
Thank you.
Reply all
Reply to author
Forward
0 new messages