search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.44k stars 1.04k forks source link

Rule 533 false positives #2063

Open mdosch opened 2 years ago

mdosch commented 2 years ago

Dear ossec-hids maintainers,

thank you very much for this helpful program. I am using it since early 2020 but this weekend it started to send me email notifications about changed ports every few minutes (I redacted my SSH port as I don't use the default to have less noise in the logs and want to keep it that way):

Received From: mdosch->netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \\1)' | sort
Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed (new port opened or closed)."
Portion of the log(s):

ossec: output: 'netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \\1)' | sort':
tcp        0      0 0.0.0.0:REDACTED            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:4190            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:8001            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:8022            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:81              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN
tcp        0      0 5.181.50.75:465         0.0.0.0:*               LISTEN
tcp        0      0 5.181.50.75:5000        0.0.0.0:*               LISTEN
tcp        0      0 5.181.50.75:5222        0.0.0.0:*               LISTEN
tcp        0      0 5.181.50.75:5223        0.0.0.0:*               LISTEN
tcp        0      0 5.181.50.75:5269        0.0.0.0:*               LISTEN
tcp        0      0 5.181.50.75:5270        0.0.0.0:*
Previous output:
ossec: output: 'netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \\1)' | sort':
tcp        0      0 0.0.0.0:REDACTED         0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LIST

I am using v3.7.0 on Debian Bullseye amd64.

Do you have any idea what could be causing this?

ricokritzer commented 1 year ago

Same problem at macOS 12+ https://github.com/wazuh/wazuh/issues/14975