Hello,

I updated ASL + OSSEC this morning and now I am getting flooded by this message in the ASL Log (every 5 odd sec)
xxx.xxx.xxx.xxx = server ip.

ossec: output: `netstat -ultn |grep -v 127.0.0.1`:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 xxx.xxx.xxx.xxx:53 0.0.0.0:* LISTEN
tcp 0 0 xxx.xxx.xxx.xxx:53 0.0.0.0:* LISTEN
tcp 0 0 xxx.xxx.xxx.xxx:53 0.0.0.0:* LISTEN
tcp 0 0 xxx.xxx.xxx.xxx:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:12443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9022 0.0.0.0:* LISTEN
tcp 0 0 :::993 :::* LISTEN
tcp 0 0 :::995 :::* LISTEN
tcp 0 0 :::106 :::* LISTEN
tcp 0 0 :::587 :::* LISTEN
tcp 0 0 :::110 :::* LISTEN
tcp
Previous output:
ossec: output: `netstat -ultn |grep -v 127.0.0.1`:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State

info:

ASL Version 3.0.25: CentOS 6 (SUPPORTED
ossec-hids-server-2.6-14.el6.art.x86_64
ossec-hids-2.6-14.el6.art.x86_64

I just started reporting the same. Came with the latest update.

Just came to report same issue. Slightly different ports/services though.

Yeah, slightly different ports for me as well. Strnage thing is that another server, that I upgraded first, does not report any incidents...

Just checked on my new server it is running ASL 3.0.24

Looking through the yum log I see ossec updates was applied yesterday.

Jun 19 12:53:25 Updated: ossec-hids-2.6-13.el6.art.x86_64
Jun 19 12:53:29 Updated: ossec-hids-server-2.6-13.el6.art.x86_64
Jun 19 19:11:32 Updated: ossec-hids-2.6-14.el6.art.x86_64
Jun 19 19:11:35 Updated: ossec-hids-server-2.6-14.el6.art.x86_64

ASL Log

ossec: output: `netstat -ultn |grep -v 127.0.0.1`:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 xxx.xxx.xxx.xxx:80 0.0.0.0:* LISTEN
tcp 0 0 xxx.xxx.xxx.xxx:80 0.0.0.0:* LISTEN
tcp 0 0 xxx.xxx.xxx.xxx:53 0.0.0.0:* LISTEN
tcp 0 0 xxx.xxx.xxx.xxx:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 xxx.xxx.xxx.xxx:443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:12443 0.0.0.0:* LISTEN
tcp 0 0 :::993 :::* LISTEN
tcp 0 0 :::995 :::* LISTEN
tcp 0 0 :::7080 :::* LISTEN
tcp 0 0 :::7081 :::* LISTEN
tcp
Previous output:
ossec: output: `netstat -ultn |grep -v 127.0.0.1`:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State

Exact same for me - dozens of reports since the update this morning.

I've submitted it as a "false positive" (don't know if it would come under that though!) - no response yet.

Lucky you. I turned of the reporting when it reached 2k+ reports...

There is an update out now. Testing...

Update now available from ASL - just had my ticket updated and applying the update now.

chris: beat you to it

Haha... well it has happened again a few times after the update - hopefully just clearing itself out.

Seems to be working for me. No more reports from here (yea, I have re-enabled logging.. )

Ran the update - enabled logging

Still Getting tons of reports

Back for me as well. Not the same high frequency though...

Hi,

Just ran the latest update & the "problem" persists.

asl-3.0.25-3.el6.art.x86_64.rpm
asl-waf-module-3.0.25-3.el6.art.x86_64.rpm
asl-web-3.0.25-3.el6.art.x86_64.rpm