'[ossec-list] Re: check_diff and netstat'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    [ossec-list] Re: check_diff and netstat
From:       Greg Hall <greg.hall400 () gmail ! com>
Date:       2014-08-27 21:44:47
Message-ID: 9dd6009c-6712-499e-b255-05cfca53988a () googlegroups ! com
[Download RAW message or body]

thanks Michael

On Monday, August 25, 2014 11:41:56 AM UTC+12, Greg Hall wrote:
> 
> Hi,
> 
> I am getting inundated with netstat port change alerts:
> 
> Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed (new 
> port opened or closed)."
> 
> I understand check_diff compares the current netstat output against an 
> entry in an internal database.  This entry seems to get created with 
> minimum ports open, so I keep getting alerts for valid new ports being 
> opened. Is there some way to reduce this to eliminate the false positives? 
> Can I update the internal databse entry somehow?
> 
> 
> thanks, Greg.
> 

-- 

--- 
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.


[Attachment #3 (text/html)]

<div dir="ltr">thanks Michael<br><br>On Monday, August 25, 2014 11:41:56 AM UTC+12, \
Greg Hall wrote:<blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; \
padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; \
border-left-style: solid;"><div dir="ltr"><div>Hi,</div><div><br></div><div>I am \
getting inundated with netstat port change alerts:</div><div><font color="#000000" \
face="Times New Roman" size="3">

</font><p style="margin: 0in 0in 0pt;"><font color="#000000" face="Calibri" \
size="3">Rule: 533 fired (level 7) -&gt; "Listened ports status (netstat) changed \
(new port opened or closed)."</font></p><p style="margin: 0in 0in 0pt;"><font \
color="#000000" face="Calibri" size="3">I understand check_diff compares the current \
netstat output against an entry in an internal database.&nbsp; This entry seems to \
get created with minimum ports open, so I keep getting alerts for valid new ports \
being opened. Is there some way to reduce this to eliminate the false positives? Can \
I update the internal databse entry somehow?</font></p><p style="margin: 0in 0in \
0pt;"><font color="#000000" face="Calibri" size="3"><br></font></p><p style="margin: \
0in 0in 0pt;"><font color="#000000" face="Calibri" size="3">thanks, \
Greg.</font></p><font color="#000000" face="Times New Roman" size="3">

</font></div></div></blockquote></div>

<p></p>

-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
&quot;ossec-list&quot; group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic