Thanks, we've got enough data from .27 builds. We've changed the system completely in .28 and it works differently now. If you want to try .28 its in testing now:

yum --enablerepo=asl-3.0-testing upgrade asl asl-web asl-waf-module

And you'll need to download the new ossec rules for this:

https://www.atomicorp.com/mike/50_asl_ossec_rules.xml

And put them in this directory:

/var/ossec/etc/rules.d/

Then restart ossec:

/etc/init.d/ossec-hids restart

The system will now report the application thats listening (which is what we really need), will ignore rpc, java, ldap and other services that dont reveal what process is holding the port open (and other services hidden by the kernel by portreserve), and will ignore the destination.

Thats the only change in .28 as of right now, so if you want to try it it shouldn't change anything else. Typical caveats apply, this is a testing build and has not been fully tested, so you should try it out on a test box first.

If you get a false positive from .28, please tar up your /var/ossec/queue/diff/<servername>/<integer> directory. We need that information to debug these.

Updated to the stable .28 release and still getting alerts - the report does show a new "process" column though, so I'm presuming the update has came through OK.

Sending the report data now...

You might be missing the updated OSSEC rules that go along with this release, so just run "asl -u" again.

OSSEC should restart on this, but just in case, do a force on it with this:

asl -s -f

/etc/init.d/ossec-hids

The command is totally different now, we dont use netstat anymore. So if you see an output like this:

ossec: output: 'netstat -nltp | grep LISTEN | egrep -v "127.0.0.1|\[1-9][0-9][0-9][0-9].*(ftp|-)" | awk -f /var/asl/lib/ports.awk':

You're missing the new rules. Just run "asl -u" to make sure your rules are up to date, and rekick ossec to make sure its using the right config.

What you should see is this:

ossec: output: '/var/asl/bin/asl-port-check':

Thanks - was a partial upgrade then.

Got the processes listed now.

Time to investigate them...

The problem is back. i updated to the newest version this morning, and now I get notications a few times an hour again.

Sorry, I should have posted too... I'm getting plenty of notifications now and I have submitted a report.

On mine, port 30000 keeps changing process from tortixd to others (sudo being one I can remember).

Anyone else got the same?

Here is my yum.log:



After the 3.0.28-1 update the notifications disappeared. With the 3.0.28-3 update they came back...

On my PLESK 10.4.4 server, I have enabled ID 533
Have not had any notifications for the past couple of days.

asl -v
ASL Version 3.0.28-3.el6.art: CentOS 6 (SUPPORTED)

On my new PLESK 11.0.9 #3 I have received a few
5 were 2 odd minutes apart and then a couple of hours 2:49 & 17:46
Those were the last two i have seen.

asl -v
ASL Version 3.0.28-3.el6.art: CentOS 6 (SUPPORTED)

A new update is a available to ASL. Please install it and see if that resolves this for you.

If after installing the newest ASL (3.0.28-4) if you experience a false positive please do not post the OSSEC alert (that will not help us to help you), instead what we need is the contents (the actual files, not a listing of the files) of this directory:

/var/ossec/queue/diff/<yourservername>/<integer>

For example:

/var/ossec/queue/diff/www/533/

@mikeshinn - Thanks I have installed the latest version, will report back in a few hours.

@mikeshinn,

Here are the last three from /var/ossec/queue/diff/sa5/533/ as requested.

-rw-r----- 1 ossec ossec 446 Jul 6 23:18 state.1341609531
ossec: output: '/var/asl/bin/asl-port-check':
Protocol IP:port Process Name
tcp 0.0.0.0:3306 mysqld
tcp 197.221.32.35:80 nginx
tcp 197.221.32.34:80 nginx
tcp 197.221.32.34:443 nginx
tcp 0.0.0.0:9022 sshd
tcp :::993 couriertcpd
tcp :::995 couriertcpd
tcp :::106 xinetd
tcp :::110 couriertcpd
tcp :::143 couriertcpd
tcp :::465 xinetd
tcp :::53 named
tcp :::21 xinetd
tcp :::25 xinetd
tcp :::9022 sshd^@

-rw-r----- 1 ossec ossec 488 Jul 6 23:18 state.1341609539
ossec: output: '/var/asl/bin/asl-port-check':
Protocol IP:port Process Name
tcp 0.0.0.0:3306 mysqld
tcp 197.221.32.35:80 nginx
tcp 197.221.32.34:80 nginx
tcp 197.221.32.34:443 nginx
tcp 0.0.0.0:9022 sshd
tcp :::993 couriertcpd
tcp :::995 couriertcpd
tcp :::7080 httpd
tcp :::7081 httpd
tcp :::106 xinetd
tcp :::110 couriertcpd
tcp :::143 couriertcpd
tcp :::465 xinetd
tcp :::53 named
tcp :::21 xinetd
tcp :::25 xinetd
tcp :::9022 sshd^@

-rw-r----- 1 ossec ossec 514 Jul 7 01:34 state.1341617655
ossec: output: '/var/asl/bin/asl-port-check':
Protocol IP:port Process Name
tcp 0.0.0.0:1763 clamd
tcp 0.0.0.0:3306 mysqld
tcp 197.221.32.35:80 nginx
tcp 197.221.32.34:80 nginx
tcp 197.221.32.34:443 nginx
tcp 0.0.0.0:9022 sshd
tcp :::993 couriertcpd
tcp :::995 couriertcpd
tcp :::7080 httpd
tcp :::7081 httpd
tcp :::106 xinetd
tcp :::110 couriertcpd
tcp :::143 couriertcpd
tcp :::465 xinetd
tcp :::53 named
tcp :::21 xinetd
tcp :::25 xinetd

Updated to -4 and still showing alerts.

Will create a new report on the portal.

Update -

I have not had any notices in the logs over the last 12 hours.

Oops, they are back @ 2 + 10 min intervils

I'm getting several every hour. I'm starting to think this check was released into production too quickly.