Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule 533 false positives #2063

Open
mdosch opened this issue Sep 19, 2022 · 1 comment
Open

Rule 533 false positives #2063

mdosch opened this issue Sep 19, 2022 · 1 comment

Comments

@mdosch
Copy link

mdosch commented Sep 19, 2022

Dear ossec-hids maintainers,

thank you very much for this helpful program. I am using it since early 2020 but this weekend it started to send me email notifications about changed ports every few minutes (I redacted my SSH port as I don't use the default to have less noise in the logs and want to keep it that way):

Received From: mdosch->netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \\1)' | sort
Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed (new port opened or closed)."
Portion of the log(s):

ossec: output: 'netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \\1)' | sort':
tcp        0      0 0.0.0.0:REDACTED            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:4190            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:8001            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:8022            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:81              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN
tcp        0      0 5.181.50.75:465         0.0.0.0:*               LISTEN
tcp        0      0 5.181.50.75:5000        0.0.0.0:*               LISTEN
tcp        0      0 5.181.50.75:5222        0.0.0.0:*               LISTEN
tcp        0      0 5.181.50.75:5223        0.0.0.0:*               LISTEN
tcp        0      0 5.181.50.75:5269        0.0.0.0:*               LISTEN
tcp        0      0 5.181.50.75:5270        0.0.0.0:*
Previous output:
ossec: output: 'netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \\1)' | sort':
tcp        0      0 0.0.0.0:REDACTED         0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LIST

I am using v3.7.0 on Debian Bullseye amd64.

Do you have any idea what could be causing this?
@ricokritzer
Copy link

Same problem at macOS 12+
wazuh/wazuh#14975

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mdosch @ricokritzer