You can use active response to verify an alert, local_rules.xml
<!-- DEMOTE the netstat rule and make it STFU --> <rule id=100000 level=1> <match>ossec: output: 'netstat'</match> <options>no_email_alert</options> <description>Netstat Listening Ports Changed, verify</description> </rule> <!-- Escalate if we verify --> <rule id=100001 level=12> <decoded_as>ossec-verify</decoded_as> <match>^netstat</match> <description>Netstat Verified Listening Ports Changed</description> </rule> ossec.conf <command> <name>ossec-ar-verify-netstat</name> <executable>ossec-ar-verify-netstat.sh</executable> <timeout_allowed>no</timeout_allowed> </command> <active-response> <command>ossec-ar-verify-netstat</command> <location>local</location> <rules_id>100000</rules_id> </active-response> <!-- OSSEC ActiveResponse to Verify Alerts --> <decoder name="ossec-ar-verify"> <program_name>ossec-ar-verify</program_name> </decoder> <!-- Crontab Verify Sample: - Aug 30 16:33:13 puppet-03 ossec-ar-verify: crontab root control:puppet - puppet:2012-05-23T10:39:36 file:2012-08-30T14:33:13 --> <decoder name="ossec-ar-verify-crontab"> <parent>ossec-ar-verify</parent> <prematch>^crontab </prematch> <regex offset="after_prematch">^(\S+)</regex> <order>user</order> </decoder> <decoder name="ossec-ar-verify-file"> <parent>ossec-ar-verify</parent> <prematch>^file </prematch> <regex offset="after_prematch">^(\S+)</regex> <order>action</order> </decoder> <decoder name="ossec-ar-verify-netstat"> <parent>ossec-ar-verify</parent> <prematch>^netstat </prematch> <regex offset="after_prematch">^(\S+)</regex> <order>srcport</order> </decoder> Then have your script do run netstat with your wrapper, compare it to the previous run, though you’ll need to baseline it either via your config management system or by looking at the OSSEC history in /var/ossec/queue/diff/ though I don’t remember off-hand where those are stored. If there’s a new port, then: logger -t ossec-ar-verify "netstat $PORT new/missing/whatever" And if there are no results, just don’t syslog anything. Really easy way to abuse ActiveResponse to work for you. -- Brad Lhotsky On 10 Feb 2014 at 04:49:35, scoobydooxp (ajprow...@gmail.com) wrote: I'd really like to run the netstat check on our FTP server. Whenever an FTP Data connection opens on a random high port, OSSEC alerts about netstat changing. Is there a way to run a custom netstat wrapper? I wrote a netstat wrapper that uses -p to exclude vsftpd high ports but OSSEC does not seem to like the command. Any tips please? Thanks in advance, Scooby -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
