Hi, any news about this topic? I have also the need to disable the "netstat" part (preferred to disable it on management server globaly) is this possible?
best regards philipp On Tuesday, January 13, 2015 at 1:43:21 PM UTC+1, Yaniv Ron wrote: > > How can I import the agents without this command ? (meaning that I do not > want my agents to run it at all) > > > On Mon, Jan 12, 2015 at 6:42 PM, Ming <pomi...@gmail.com <javascript:>> > wrote: > >> Thanks Dan, opened an issue here: >> https://github.com/ossec/ossec-hids/issues/495 >> >> >> >> dan (ddpbsd)於 2015年1月8日星期四 UTC+8下午9時38分32秒寫道: >>> >>> On Wed, Jan 7, 2015 at 9:39 PM, Ming <pomi...@gmail.com> wrote: >>> > Thanks Dan, >>> > >>> > It works! Do you think it will be included in coming update of ossec? >>> > >>> >>> It's never come up before. Please open an issue about it on >>> https://github.com/ossec/ossec-hids and it'll get some attention. >>> >>> > >>> > >>> > dan (ddpbsd)於 2015年1月7日星期三UTC+8下午9時12分29秒寫道: >>> >> >>> >> On Mon, Jan 5, 2015 at 10:56 PM, Ming <pomi...@gmail.com> wrote: >>> >> > Hi all, >>> >> > >>> >> > I received alert for port change, however, there is no change, but >>> only >>> >> > change on "Recv-Q", how can I correct it for properly detect port >>> >> > change? >>> >> > Thank you all. >>> >> > >>> >> > OSSEC version: 2.8.1 >>> >> > >>> >> > >>> >> > OSSEC HIDS Notification. >>> >> > 2015 Jan 06 11:21:11 >>> >> > >>> >> > Received From: www->netstat -tan |grep LISTEN |grep -v 127.0.0.1 | >>> sort >>> >> > Rule: 533 fired (level 7) -> "Listened ports status (netstat) >>> changed >>> >> > (new >>> >> > port opened or closed)." >>> >> > Portion of the log(s): >>> >> > >>> >> > ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | >>> sort': >>> >> > tcp 0 0 0.0.0.0:443 0.0.0.0:* >>> >> > LISTEN >>> >> > tcp 0 0 0.0.0.0:80 0.0.0.0:* >>> >> > LISTEN >>> >> > tcp6 0 0 ::1:25 :::* >>> >> > LISTEN >>> >> > tcp6 0 0 :::21 :::* >>> >> > LISTEN >>> >> > Previous output: >>> >> > ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | >>> sort': >>> >> > tcp 0 0 0.0.0.0:80 0.0.0.0:* >>> >> > LISTEN >>> >> > tcp 3 0 0.0.0.0:443 0.0.0.0:* >>> >> > LISTEN >>> >> > tcp6 0 0 ::1:25 :::* >>> >> > LISTEN >>> >> > tcp6 0 0 :::21 :::* >>> >> > LISTEN >>> >> > >>> >> >>> >> Perhaps modify the script to be something like: >>> >> `netstat -tan | grep LISTEN |grep -v 127.0.0.1 | awk '{ print >>> $1,$4,$5 >>> >> }' | sort` >>> >> >>> >> > -- >>> >> > >>> >> > --- >>> >> > You received this message because you are subscribed to the Google >>> >> > Groups >>> >> > "ossec-list" group. >>> >> > To unsubscribe from this group and stop receiving emails from it, >>> send >>> >> > an >>> >> > email to ossec-list+...@googlegroups.com. >>> >> > For more options, visit https://groups.google.com/d/optout. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an >>> > email to ossec-list+...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. >>> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > *Yaniv Ron* > +972-3-7298582 > *Security Department | Viber S.a.r.l *| www.viber.com | yron@viber > <http://twitter.com/viber>.com > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
