RE: [ossec-list] full_command netstat and other output in alerts.log file
All,
Following up with a windows powershell version for this. You pass it the
netstat -nao command and it will filter out the listening ports and return them
in a list of tuples ex: [(protocol,ipaddress,port),(protocol,ipaddress,port)].
I can further expand on this to include the actual program name, but for now
I'm good with just knowing what ports are listening.
Save as netstatParser.ps1
param(
[Parameter(ValueFromPipeline=$true,Position=0)] [string] $Data
)
$Data = $input
$ossec_out = [
foreach ($line in $input)
{
if ($line -match (TCP|UDP)\s+([^:]*):(\d+).*LISTENING)
{
$var = ($($matches[1]),$($matches[2]),$($matches[3])),
$ossec_out += $var
}
}
$ossec_out += ]
$ossec_out = $ossec_out.replace(,],])
write-output $ossec_out
Example usage with full command:
Netstat -nao | .\parseNetstat.ps1
Output Example:
[(TCP,0.0.0.0,135),(TCP,0.0.0.0,445),(TCP,0.0.0.0,2701),(TCP,0.0.0.0,3389),(TCP,0.0.0.0,5985),(TCP,0.0.0.0,7561),(TCP,0.0.0.0,45329),(TCP,0.0.0.0,47001),(TCP,0.0.0.0,49152),(TCP,0.0.0.0,49153),(TCP,0.0.0.0,49154),(TCP,0.0.0.0,49177),(TCP,0.0.0.0,49178),(TCP,0.0.0.0,49183),(TCP,127.0.0.1,55578),(TCP,192.168.222.210,139)]
Again thanks Kevin for the inspiration
Devon J. Greene
PS Pardon my cruddy powershell, it's not really my cup of tea ha.
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of BP9906
Sent: Friday, January 17, 2014 7:06 AM
To: ossec-list@googlegroups.com
Subject: [ossec-list] full_command netstat and other output in alerts.log file
The full output should be in a folder. Ive seen it before just dont recall
where.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
CONFIDENTIALITY NOTICE: This electronic communication (email), including any
attachments, is covered by the Electronic Communications Privacy Act, 18 U.S.C.
§§2510 – 2521; is confidential; and may be legally privileged. If you are not
the intended recipient, you are hereby notified that any retention,
dissemination, distribution or copying of this electronic communication is
strictly prohibited. Please reply to the sender that you received this message
in error and then delete or otherwise destroy any and all copies of this
electronic communication.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] full_command netstat and other output in alerts.log file
The full output should be in a folder. Ive seen it before just dont recall where. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] full_command netstat and other output in alerts.log file
Hallo every body I have a question. I need to monitor runnig services on ossec agents (Ossec version 2.7.1). I found the problem in ossec server that the output from full_command (system command for example is netstat -ntlp or chckconfig) is truncated in alerts.log file. in alerts.log ther is no full output from the command netstat and their previus state. So administrator can't check what was changed in the system from alert arrived. Is it posible to change it (alert body size or something similar variable)??? Is there any solution to see full information in alerts.log like in /var/ossec/diff/[hostname]/[rule_id]/ folder??? Thanks for any idea -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] full_command netstat and other output in alerts.log file
This is what I am using:
cat netstat_filter.sh
awk '$NF != LISTEN || $4 ~ /^127\.0\.0\./ { next } { n = split($4, wk, : )
} { in_use[wk[n]] = 1 } END { for ( port in in_use ) { printf(%d\n, port) }
}' | sort -n | sed -e :a -e N -e 's/\n/ /' -e ta
netstat -tan | /netstat_filter.sh
22 25 80 111 443 662 10050 20031 45525
localfile
log_formatfull_command/log_format
commandnetstat -tan | /netstat_filter.sh/command
/localfile
--
Kevin Kelly
Director, Network Technology
Whitman College
- Original Message -
From: Marcin Liszka maka...@gmail.com
To: ossec-list@googlegroups.com
Sent: Thursday, January 16, 2014 10:20:33 AM
Subject: [ossec-list] full_command netstat and other output in alerts.log file
Hallo every body
I have a question. I need to monitor runnig services on ossec agents (Ossec
version 2.7.1). I found the problem in ossec server that the output from
full_command (system command for example is netstat -ntlp or chckconfig) is
truncated in alerts.log file.
in alerts.log ther is no full output from the command netstat and their previus
state. So administrator can't check what was changed in the system from alert
arrived.
Is it posible to change it (alert body size or something similar variable)???
Is there any solution to see full information in alerts.log like in
/var/ossec/diff/[hostname]/[rule_id]/ folder???
Thanks for any idea
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out .
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
RE: [ossec-list] full_command netstat and other output in alerts.log file
Kevin,
I like your approach in keeping a filter on the host machine to specify the
output expected (the listening ports) as opposed to trying to modify OSSEC
itself. Not sure if we have a community filter like this for windows but I
wouldn’t mind writing a powershell version of this for windows and posting to
the group.
Devon J. Greene
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Kevin Kelly
Sent: Thursday, January 16, 2014 1:55 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] full_command netstat and other output in alerts.log
file
This is what I am using:
cat netstat_filter.sh
awk '$NF != LISTEN || $4 ~ /^127\.0\.0\./ { next } { n = split($4, wk, : )
} { in_use[wk[n]] = 1 } END { for ( port in in_use ) { printf(%d\n, port) }
}' | sort -n | sed -e :a -e N -e 's/\n/ /' -e ta
netstat -tan | /netstat_filter.sh
22 25 80 111 443 662 10050 20031 45525
localfile
log_formatfull_command/log_format
commandnetstat -tan | /netstat_filter.sh/command
/localfile
--
Kevin Kelly
Director, Network Technology
Whitman College
From: Marcin Liszka maka...@gmail.commailto:maka...@gmail.com
To: ossec-list@googlegroups.commailto:ossec-list@googlegroups.com
Sent: Thursday, January 16, 2014 10:20:33 AM
Subject: [ossec-list] full_command netstat and other output in alerts.log file
Hallo every body
I have a question. I need to monitor runnig services on ossec agents (Ossec
version 2.7.1). I found the problem in ossec server that the output from
full_command (system command for example is netstat -ntlp or chckconfig) is
truncated in alerts.log file.
in alerts.log ther is no full output from the command netstat and their previus
state. So administrator can't check what was changed in the system from alert
arrived.
Is it posible to change it (alert body size or something similar variable)???
Is there any solution to see full information in alerts.log like in
/var/ossec/diff/[hostname]/[rule_id]/ folder???
Thanks for any idea
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
ossec-list+unsubscr...@googlegroups.commailto:ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
ossec-list+unsubscr...@googlegroups.commailto:ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
CONFIDENTIALITY NOTICE: This electronic communication (email), including any
attachments, is covered by the Electronic Communications Privacy Act, 18 U.S.C.
§§2510 – 2521; is confidential; and may be legally privileged. If you are not
the intended recipient, you are hereby notified that any retention,
dissemination, distribution or copying of this electronic communication is
strictly prohibited. Please reply to the sender that you received this message
in error and then delete or otherwise destroy any and all copies of this
electronic communication.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
