Listening ports status has changed

biggles · **Posted:** Sat Jun 23, 2012 6:13 am

Rules are updated

Code:

Checking for updates..
  ASL version is current: 3.0.25                           [OK]
  APPINV rules are current: 201201041122                   [OK]
  CLAMAV rules are current: 201206220930                   [OK]
  GEOMAP rules are current: 201206220857                   [OK]
  MODSEC rules are current: 201206221252                   [OK]
  OSSEC rules are current: 201206211325                    [OK]

ASL version:

Code:

Jun 20 16:29:44 Updated: 1:asl-3.0.25-3.el5.art.i386
Jun 20 16:29:44 Updated: 1:asl-waf-module-3.0.25-3.el5.art.i386
Jun 20 16:29:46 Updated: 1:asl-web-3.0.25-3.el5.art.i386

Still get a few events every hour.

Event details attached.

biggles · **Posted:** Mon Jun 25, 2012 12:08 pm

I'm turning off noticifactions for this rule. The real alerts are hidden behind all the false positives.

biggles · **Posted:** Mon Jun 25, 2012 12:08 pm

I'm turning off noticifactions for this rule. The real alerts are hidden behind all the false positives.

mikeshinn · **Posted:** Mon Jun 25, 2012 6:26 pm

3.0.26 fixes this. Previous versions alerted on FTP daemon listeners on high ports.

biggles · **Posted:** Tue Jun 26, 2012 2:32 am

Testing...

biggles · **Posted:** Tue Jun 26, 2012 3:24 am

Still alerts...

Code:

OSSEC HIDS Notification.
2012 Jun 26 08:29:18

Received From: server7->netstat -nltp  | grep LISTEN | egrep -v "127.0.0.1|\[1-9][1-9][1-9][1-9].*ftp"  | awk '{print $1"\t"$4"\t"$5"\t"$6}'
Rule: 533 fired (level 7) -> "(null)"
Portion of the log(s):

ossec: output: 'netstat -nltp  | grep LISTEN | egrep -v "127.0.0.1|\[1-9][1-9][1-9][1-9].*ftp"  | awk '{print $1"\t"$4"\t"$5"\t"$6}'':
tcp   0.0.0.0:443   0.0.0.0:*   LISTEN
tcp   0.0.0.0:8443   0.0.0.0:*   LISTEN
tcp   0.0.0.0:8445   0.0.0.0:*   LISTEN
tcp   0.0.0.0:993   0.0.0.0:*   LISTEN
tcp   0.0.0.0:10050   0.0.0.0:*   LISTEN
tcp   0.0.0.0:995   0.0.0.0:*   LISTEN
tcp   0.0.0.0:3306   0.0.0.0:*   LISTEN
tcp   0.0.0.0:106   0.0.0.0:*   LISTEN
tcp   0.0.0.0:587   0.0.0.0:*   LISTEN
tcp   0.0.0.0:110   0.0.0.0:*   LISTEN
tcp   0.0.0.0:143   0.0.0.0:*   LISTEN
tcp   0.0.0.0:80   0.0.0.0:*   LISTEN
tcp   0.0.0.0:30000   0.0.0.0:*   LISTEN
tcp   0.0.0.0:8880   0.0.0.0:*   LISTEN
tcp   0.0.0.0:465   0.0.0.0:*   LISTEN
tcp   x.x.x.x:53   0.0.0.0:*   LISTEN
tcp   x.x.x.x:53   0.0.0.0:*   LISTEN
tcp   0.0.0.0:21   0.0.0.0:*   LISTEN
tcp   0.0.0.0:22   0.0.0.0:*   LISTEN

chrismcb · **Posted:** Tue Jun 26, 2012 10:13 am

Still happening for me too... might it be useful to know that I have changed the default SSH port?

Kalimari · **Posted:** Tue Jun 26, 2012 11:04 am

Started receiving occasional alerts again after three days with none reported. Have not altered any ports/settings other than asl -u

mikeshinn · **Posted:** Tue Jun 26, 2012 1:10 pm

Make sure you have the latest version of 3.0.26, which is -3. Run these commands to upgrade:

yum clean all

yum -y upgrade asl asl-web gradm ossec-hids asl-waf-module

asl -s -f

asl -u

Kalimari · **Posted:** Tue Jun 26, 2012 2:12 pm

Ran the -3 update as indicated, first alert I receive contains:

Code:

ossec: output: `netstat -nltp | grep LISTEN | egrep -v "127.0.0.1|/[1-9][0-9][0-9][0-9].*ftp" | awk -f /var/asl/lib/ports.awk`:

I'll see if it calms down over the next few hours. It had previously disappeared for the past 2-3 days.

biggles · **Posted:** Tue Jun 26, 2012 2:15 pm

Updated again- Now running -3. No errors so far...

biggles · **Posted:** Tue Jun 26, 2012 3:23 pm

Got another alert, just 2 minutes after I updated

Code:

OSSEC HIDS Notification.
2012 Jun 26 20:11:08

Received From: server7->netstat -nltp  | grep LISTEN | egrep -v "127.0.0.1|\[1-9][0-9][0-9][0-9].*ftp"  | awk -f /var/asl/lib/ports.awk
Rule: 533 fired (level 7) -> "(null)"
Portion of the log(s):

ossec: output: 'netstat -nltp  | grep LISTEN | egrep -v "127.0.0.1|\[1-9][0-9][0-9][0-9].*ftp"  | awk -f /var/asl/lib/ports.awk':
Protocol   IP:port      Destination
tcp      0.0.0.0:443      0.0.0.0:*
tcp      0.0.0.0:8443      0.0.0.0:*
tcp      0.0.0.0:8445      0.0.0.0:*
tcp      0.0.0.0:993      0.0.0.0:*
tcp      0.0.0.0:10050      0.0.0.0:*
tcp      0.0.0.0:995      0.0.0.0:*
tcp      0.0.0.0:3306      0.0.0.0:*
tcp      0.0.0.0:106      0.0.0.0:*
tcp      0.0.0.0:587      0.0.0.0:*
tcp      0.0.0.0:110      0.0.0.0:*
tcp      0.0.0.0:143      0.0.0.0:*
tcp      0.0.0.0:30000      0.0.0.0:*
tcp      0.0.0.0:80      0.0.0.0:*
tcp      0.0.0.0:8880      0.0.0.0:*
tcp      0.0.0.0:465      0.0.0.0:*
tcp      x.x.x.x:53      0.0.0.0:*
tcp      x.x.x.y:53      0.0.0.0:*
tcp      0.0.0.0:21      0.0.0.0:*



 --END OF NOTIFICATION

mikeshinn · **Posted:** Tue Jun 26, 2012 4:34 pm

You should get an initial alert, the ports recorded did change (before it was more, now its less). Now with that said, do you have anything besides FTP that would be opening random listeners, like a Java application server for example?

If just FTP, let it settle down for a moment and let me know if it happens again. If it does please tar up this directory:

/var/ossec/queue/diff/<your servers name>/<an integer>

For example:

/var/ossec/queue/diff/asl-modsec-test/533/

Tar that up and send it to support.

chrismcb · **Posted:** Wed Jun 27, 2012 4:13 am

Still happening for me... sending state changes through support portal.

biggles · **Posted:** Wed Jun 27, 2012 4:49 am

So am I. I have also sent the changes to support portal, case id 15939

Listening ports status has changed

Who is online