You can use active response to verify an alert,
local_rules.xml
!-- DEMOTE the netstat rule and make it STFU --
rule id=10 level=1
matchossec: output: 'netstat'/match
optionsno_email_alert/options
descriptionNetstat Listening Ports Changed, verify/description
/rule
!-- Escalate if we verify --
rule id=11 level=12
decoded_asossec-verify/decoded_as
match^netstat/match
descriptionNetstat Verified Listening Ports Changed/description
/rule
ossec.conf
command
nameossec-ar-verify-netstat/name
executableossec-ar-verify-netstat.sh/executable
timeout_allowedno/timeout_allowed
/command
active-response
commandossec-ar-verify-netstat/command
locationlocal/location
rules_id10/rules_id
/active-response
!-- OSSEC ActiveResponse to Verify Alerts --
decoder name=ossec-ar-verify
program_nameossec-ar-verify/program_name
/decoder
!--
Crontab Verify Sample:
- Aug 30 16:33:13 puppet-03 ossec-ar-verify: crontab root control:puppet -
puppet:2012-05-23T10:39:36 file:2012-08-30T14:33:13
--
decoder name=ossec-ar-verify-crontab
parentossec-ar-verify/parent
prematch^crontab /prematch
regex offset=after_prematch^(\S+)/regex
orderuser/order
/decoder
decoder name=ossec-ar-verify-file
parentossec-ar-verify/parent
prematch^file /prematch
regex offset=after_prematch^(\S+)/regex
orderaction/order
/decoder
decoder name=ossec-ar-verify-netstat
parentossec-ar-verify/parent
prematch^netstat /prematch
regex offset=after_prematch^(\S+)/regex
ordersrcport/order
/decoder
Then have your script do run netstat with your wrapper, compare it to the
previous run, though you’ll need to baseline it either via your config
management system or by looking at the OSSEC history in /var/ossec/queue/diff/
though I don’t remember off-hand where those are stored. If there’s a new
port, then:
logger -t ossec-ar-verify netstat $PORT new/missing/whatever
And if there are no results, just don’t syslog anything. Really easy way to
abuse ActiveResponse to work for you.
--
Brad Lhotsky
On 10 Feb 2014 at 04:49:35, scoobydooxp (ajprow...@gmail.com) wrote:
I'd really like to run the netstat check on our FTP server. Whenever an FTP
Data connection opens on a random high port, OSSEC alerts about netstat
changing. Is there a way to run a custom netstat wrapper? I wrote a netstat
wrapper that uses -p to exclude vsftpd high ports but OSSEC does not seem to
like the command. Any tips please?
Thanks in advance,
Scooby
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.