I have been using Ossec on a couple of my servers for several years now. I recently updated one of them to Ubuntu 14.04 server edition and found that the agent running on that machine was no longer communicating with the server. I took this as an opportunity to upgrade both machines from version 2.6 to 2.8 and I am running into a new issue that I am not sure how to handle.
I am getting repeated alerts about the netstat command detecting new ports open. Specifically I am getting the report shown below: > ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort': > tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN > > tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN > > tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN > > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN > > tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN > > tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN > > tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN > > tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN > > tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN > > tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN > > tcp 0 0 172.16.10.3:53 0.0.0.0:* LISTEN > > tcp 0 0 192.168.0.49:53 0.0.0.0:* LISTEN > > tcp 0 0 192.168.0.49:647 0.0.0.0:* LISTEN > > tcp6 0 0 :::139 :::* LISTEN > > tcp6 0 0 ::1:783 :::* > Previous output: > ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort': > tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN > > tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN > > According to my interpretation of this output, it is trying to tell me that when the initial scan was run the only ports with applications listening on them were 110 and 139. I know however this is incorrect because the system was up, active, and had all of these other processes running, nor are they routinely terminated and some of them were even actively connected to at the time, such as port 22 for SSH. This same message will repeat periodically, claiming that the same two ports were open in the previous reading and all the ports are currently open. It never seems to update or correct itself. I tried stopping ossec, going into the /var/ossec/queue directory and deleting everything (there were only two files) and restarting it. This seemed to silence this error for several hours and then it started again. I like the idea of the feature and would like to correct it rather than disable it (if that is even possible), but the repeated erroneous alerts are seriously annoying. Does anyone have a suggestion as to why this feature does not appear to be working correctly and how to fix it? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.