grep -nr netstat etc/rules/ossec_rules.xml:151: <match>ossec: output: 'netstat -tan</match> etc/rules/ossec_rules.xml:153: <description>Listened ports status (netstat) changed (new port opened or closed).</description> doc/rootcheck.txt:65: bind to the port (it's being used), but netstat does not doc/pl/rootcheck.txt:59: (czyli jest używany), a "netstat" go nie pokazuje, to prawdopodobnie install.sh:335: echo " <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>" >> $NEWCONFIG src/rootcheck/db/rootkit_trojans.txt:51:netstat !bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h! src/rootcheck/db/rootkit_files.txt:116:usr/bin/lnetstat ! Rh-Sharpe :: src/rootcheck/db/rootkit_files.txt:117:bin/lnetstat ! Rh-Sharpe :: src/rootcheck/check_rc_ports.c:19:/* SunOS netstat */ src/rootcheck/check_rc_ports.c:21:#define NETSTAT "netstat -an -P %s | "\ src/rootcheck/check_rc_ports.c:26:#define NETSTAT "netstat -an -p %s | "\ src/rootcheck/check_rc_ports.c:31:#define NETSTAT_LIST "netstat -an | grep \"^%s\" | "\ src/rootcheck/check_rc_ports.c:33:#define NETSTAT "netstat -an | grep \"^%s\" | " \ src/rootcheck/check_rc_ports.c:38:#define NETSTAT "netstat -an | grep \"^%s\" | " \ src/rootcheck/check_rc_ports.c:43:int run_netstat(int proto, int port) src/rootcheck/check_rc_ports.c:130: /* Checking if we can find it using netstat, if not, src/rootcheck/check_rc_ports.c:133: if(run_netstat(proto, i)) src/rootcheck/check_rc_ports.c:147: if(!run_netstat(proto, i) && conn_port(proto, i)) src/rootcheck/check_rc_ports.c:155: "version of netstat.", i, contrib/util.sh:19: #echo "Example: $0 addcommand 'netstat -tan |grep LISTEN| grep -v 127.0.0.1'"
which one ? On Tue, Jan 13, 2015 at 6:17 AM, Yaniv Ron <y...@viber.com> wrote: > Thanks, > but I cannot find the file in the whole directory, however I did saw it > after compilation. > can you help me locate what creates ossec.mc ? (maybe I can remove it > from there) > > On Tue, Jan 13, 2015 at 5:01 AM, dan (ddp) <ddp...@gmail.com> wrote: > >> On Tue, Jan 13, 2015 at 7:58 AM, Yaniv Ron <y...@viber.com> wrote: >> > Thanks, >> > but is there a more reasonable way to do it on 1 package and then >> deploy it >> > ? >> > and if so...how ? (I tried compiling an RPM and set "n" for root check >> on >> > /ossec-hids-2.8.1/etc/preloaded-vars.conf but it doesn't work). >> > >> > # If USER_ENABLE_ROOTCHECK is set to "y", >> > # rootcheck will be enabled. Set to "n" to >> > # disable it. >> > USER_ENABLE_ROOTCHECK="n" >> > >> >> Sure, modify src/etc/ossec.mc (I think) to remove that entry. >> >> > >> > >> > On Tue, Jan 13, 2015 at 4:50 AM, dan (ddp) <ddp...@gmail.com> wrote: >> >> >> >> On Tue, Jan 13, 2015 at 7:44 AM, Yaniv Ron <y...@viber.com> wrote: >> >> > Hi All, >> >> > >> >> > I would like to disable the agents from running the command netstat , >> >> > how >> >> > can I do it ? >> >> > (I tried reading the document on OSSEC site but unfortunately I >> couldn't >> >> > find anything) >> >> >> >> Remove the appropriate <localfile> entry in the agent's ossec.conf. >> >> >> >> > -- >> >> > Yaniv Ron >> >> > +972-3-7298582 >> >> > Security Department | Viber S.a.r.l | www.viber.com | >> y...@viber.com >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send >> >> > an >> >> > email to ossec-list+unsubscr...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> an >> >> email to ossec-list+unsubscr...@googlegroups.com. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > >> > >> > >> > -- >> > Yaniv Ron >> > +972-3-7298582 >> > Security Department | Viber S.a.r.l | www.viber.com | y...@viber.com >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+unsubscr...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > *Yaniv Ron* > +972-3-7298582 > *Security Department | Viber S.a.r.l *| www.viber.com | yron@viber > <http://twitter.com/viber>.com > -- *Yaniv Ron* +972-3-7298582 *Security Department | Viber S.a.r.l *| www.viber.com | yron@viber <http://twitter.com/viber>.com -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.