[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [ossec-list] Re: check_diff and netstat
From: Greg Hall <greg.hall400 () gmail ! com>
Date: 2014-08-27 21:44:47
Message-ID: 9dd6009c-6712-499e-b255-05cfca53988a () googlegroups ! com
[Download RAW message or body]
thanks Michael
On Monday, August 25, 2014 11:41:56 AM UTC+12, Greg Hall wrote:
>
> Hi,
>
> I am getting inundated with netstat port change alerts:
>
> Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed (new
> port opened or closed)."
>
> I understand check_diff compares the current netstat output against an
> entry in an internal database. This entry seems to get created with
> minimum ports open, so I keep getting alerts for valid new ports being
> opened. Is there some way to reduce this to eliminate the false positives?
> Can I update the internal databse entry somehow?
>
>
> thanks, Greg.
>
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[Attachment #3 (text/html)]
<div dir="ltr">thanks Michael<br><br>On Monday, August 25, 2014 11:41:56 AM UTC+12, \
Greg Hall wrote:<blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; \
padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; \
border-left-style: solid;"><div dir="ltr"><div>Hi,</div><div><br></div><div>I am \
getting inundated with netstat port change alerts:</div><div><font color="#000000" \
face="Times New Roman" size="3">
</font><p style="margin: 0in 0in 0pt;"><font color="#000000" face="Calibri" \
size="3">Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed \
(new port opened or closed)."</font></p><p style="margin: 0in 0in 0pt;"><font \
color="#000000" face="Calibri" size="3">I understand check_diff compares the current \
netstat output against an entry in an internal database. This entry seems to \
get created with minimum ports open, so I keep getting alerts for valid new ports \
being opened. Is there some way to reduce this to eliminate the false positives? Can \
I update the internal databse entry somehow?</font></p><p style="margin: 0in 0in \
0pt;"><font color="#000000" face="Calibri" size="3"><br></font></p><p style="margin: \
0in 0in 0pt;"><font color="#000000" face="Calibri" size="3">thanks, \
Greg.</font></p><font color="#000000" face="Times New Roman" size="3">
</font></div></div></blockquote></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic