false positive when "netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort" because of Recv-Q

[nethubonline]

I asked in Google forum here: https://groups.google.com/forum/#!topic/ossec-list/2kcJlXDlSh0

I received alert for port change, however, there is no change, but only change on "Recv-Q"

OSSEC version: 2.8.1

OSSEC HIDS Notification.
2015 Jan 06 11:21:11

Received From: www->netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort
Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed (new port opened or closed)."
Portion of the log(s):

ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
tcp6 0 0 :::21 :::* LISTEN
Previous output:
ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 3 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
tcp6 0 0 :::21 :::* LISTEN

Possible solution: netstat -tan | grep LISTEN |grep -v 127.0.0.1 | awk '{ print $1,$4,$5}' | sort

[aquerubin]

As long as we're talking about fixing this. please add the IPv6 loopback address as well to the fix. Ie. the grep should be changed to:

grep -v '(127.0.0.1| ::1)' or egrep -v '(127.0.0.1| ::1)'

The latter looks cleaner. Note the space before the two colons is important to prevent removing entries containing regular IPv6 addresses that end with ::1. The IPv6 branch already has this.

[ddpbsd]

@aquerubin Does the egrep work on Solaris and AIX out of the box?

[aquerubin]

On Tue, 13 Jan 2015, ddpbsd wrote:

@aquerubin Does the egrep work on Solaris and AIX out of the box?

Having neither system I can't say either way.

Antonio Querubin
e-mail: [email protected]
xmpp: [email protected]