assp-user Mailing List for Anti-Spam SMTP Proxy Server

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi.

I am using Wazuh (ossec fork) as an HIDS on a machine running ASSP.

It has a rule where it will monitor open ports.  A couple of the assp 
udp ports change.  The output looks like this:

Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed (new port opened or closed)."
Portion of the log(s):

ossec: output: 'netstat listening ports':
tcp 0.0.0.0:22 0.0.0.0:* 863/sshd
tcp6 :::22 :::* 863/sshd
tcp 0.0.0.0:25 0.0.0.0:* 2305/perl
udp 0.0.0.0:123 0.0.0.0:* 1658/ntpd
udp 127.0.0.1:123 0.0.0.0:* 1658/ntpd
udp 192.168.90.10:123 0.0.0.0:* 1658/ntpd
udp6 ::1:123 :::* 1658/ntpd
udp6 :::123 :::* 1658/ntpd
tcp 0.0.0.0:125 0.0.0.0:* 1621/master
tcp 0.0.0.0:465 0.0.0.0:* 2305/perl
tcp 0.0.0.0:2525 0.0.0.0:* 2305/perl
tcp 127.0.0.1:3306 0.0.0.0:* 1258/mysqld
udp 0.0.0.0:42540 0.0.0.0:* 2305/perl
*udp 0.0.0.0:47142 0.0.0.0:* 2305/perl*
*udp 0.0.0.0:49514 0.0.0.0:* 2305/perl*
udp 0.0.0.0:49534 0.0.0.0:* 2305/perl
udp 0.0.0.0:54808 0.0.0.0:* 2305/perl
tcp 0.0.0.0:55553 0.0.0.0:* 2305/perl

another time it looks like:

Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed (new port opened or closed)."
Portion of the log(s):

ossec: output: 'netstat listening ports':
tcp 0.0.0.0:22 0.0.0.0:* 863/sshd
tcp6 :::22 :::* 863/sshd
tcp 0.0.0.0:25 0.0.0.0:* 2305/perl
udp 0.0.0.0:123 0.0.0.0:* 1658/ntpd
udp 127.0.0.1:123 0.0.0.0:* 1658/ntpd
udp 192.168.90.10:123 0.0.0.0:* 1658/ntpd
udp6 ::1:123 :::* 1658/ntpd
udp6 :::123 :::* 1658/ntpd
tcp 0.0.0.0:125 0.0.0.0:* 1621/master
tcp 0.0.0.0:465 0.0.0.0:* 2305/perl
tcp 0.0.0.0:2525 0.0.0.0:* 2305/perl
tcp 127.0.0.1:3306 0.0.0.0:* 1258/mysqld
*udp 0.0.0.0:42139 0.0.0.0:* 2305/perl*
udp 0.0.0.0:42540 0.0.0.0:* 2305/perl
udp 0.0.0.0:49534 0.0.0.0:* 2305/perl
*udp 0.0.0.0:52302 0.0.0.0:* 2305/perl*
udp 0.0.0.0:54808 0.0.0.0:* 2305/perl
tcp 0.0.0.0:55553 0.0.0.0:* 2305/perl
tcp 0.0.0.0:55555 0.0.0.0:* 2305/perl

Is there anyway to keep a static list of UDP ports so it doesn't trigger a wazuh alert?

thanks,
Geoff

2002	Jan	Feb	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec (7)
2003	Jan (26)	Feb (29)	Mar (27)	Apr (61)	May (179)	Jun (176)	Jul (243)	Aug (270)	Sep (147)	Oct (161)	Nov (110)	Dec (132)
2004	Jan (161)	Feb (114)	Mar (190)	Apr (79)	May (265)	Jun (269)	Jul (176)	Aug (159)	Sep (138)	Oct (45)	Nov (85)	Dec (80)
2005	Jan (145)	Feb (65)	Mar (49)	Apr (80)	May (136)	Jun (134)	Jul (408)	Aug (107)	Sep (75)	Oct (32)	Nov (42)	Dec (28)
2006	Jan (74)	Feb (134)	Mar (804)	Apr (984)	May (829)	Jun (427)	Jul (397)	Aug (745)	Sep (176)	Oct (564)	Nov (748)	Dec (1052)
2007	Jan (984)	Feb (678)	Mar (568)	Apr (434)	May (644)	Jun (396)	Jul (655)	Aug (693)	Sep (497)	Oct (411)	Nov (316)	Dec (310)
2008	Jan (192)	Feb (169)	Mar (141)	Apr (55)	May (143)	Jun (157)	Jul (136)	Aug (187)	Sep (131)	Oct (228)	Nov (227)	Dec (144)
2009	Jan (205)	Feb (211)	Mar (302)	Apr (186)	May (99)	Jun (127)	Jul (74)	Aug (18)	Sep (110)	Oct (61)	Nov (149)	Dec (186)
2010	Jan (108)	Feb (135)	Mar (85)	Apr (109)	May (115)	Jun (176)	Jul (81)	Aug (210)	Sep (76)	Oct (41)	Nov (69)	Dec (78)
2011	Jan (65)	Feb (48)	Mar (78)	Apr (34)	May (78)	Jun (92)	Jul (42)	Aug (40)	Sep (175)	Oct (26)	Nov (22)	Dec (15)
2012	Jan (20)	Feb (24)	Mar (20)	Apr (13)	May (29)	Jun (22)	Jul (12)	Aug (14)	Sep (22)	Oct (51)	Nov (74)	Dec (45)
2013	Jan (10)	Feb (40)	Mar (17)	Apr (59)	May (186)	Jun (67)	Jul (25)	Aug (51)	Sep (67)	Oct (47)	Nov (70)	Dec (39)
2014	Jan (41)	Feb (32)	Mar (67)	Apr (58)	May (89)	Jun (36)	Jul (59)	Aug (50)	Sep (86)	Oct (43)	Nov (43)	Dec (31)
2015	Jan (43)	Feb (40)	Mar (35)	Apr (23)	May (24)	Jun (45)	Jul (26)	Aug (38)	Sep (38)	Oct (17)	Nov (15)	Dec (21)
2016	Jan (28)	Feb (81)	Mar (157)	Apr (59)	May (9)	Jun (30)	Jul (77)	Aug (44)	Sep (64)	Oct (31)	Nov (26)	Dec (59)
2017	Jan (27)	Feb (56)	Mar (24)	Apr (14)	May (31)	Jun (35)	Jul (19)	Aug (7)	Sep (11)	Oct (2)	Nov (15)	Dec (22)
2018	Jan (13)	Feb (9)	Mar	Apr (4)	May (8)	Jun (11)	Jul (26)	Aug (14)	Sep (5)	Oct (2)	Nov (11)	Dec (7)
2019	Jan (5)	Feb (4)	Mar (5)	Apr (1)	May (7)	Jun (15)	Jul	Aug (4)	Sep	Oct (6)	Nov (20)	Dec (14)
2020	Jan (11)	Feb	Mar (32)	Apr (3)	May (14)	Jun (8)	Jul	Aug (9)	Sep (14)	Oct (5)	Nov (1)	Dec
2021	Jan (13)	Feb	Mar (6)	Apr (6)	May (18)	Jun (3)	Jul (7)	Aug (20)	Sep (20)	Oct (3)	Nov (5)	Dec
2022	Jan (7)	Feb (4)	Mar (7)	Apr (2)	May (1)	Jun	Jul	Aug (3)	Sep (4)	Oct (1)	Nov	Dec
2023	Jan (5)	Feb (2)	Mar	Apr (3)	May (3)	Jun (3)	Jul	Aug	Sep	Oct	Nov (2)	Dec
2024	Jan	Feb	Mar	Apr	May	Jun	Jul (3)	Aug (8)	Sep (2)	Oct (3)	Nov (7)	Dec (4)
2025	Jan (4)	Feb (5)	Mar	Apr (3)	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec

S	M	T	W	T	F	S
	1 (1)	2 (1)	3	4 (2)	5 (3)	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26 (1)	27
28	29	30

assp-user Mailing List for Anti-Spam SMTP Proxy Server

Anti-Spam SMTP Proxy Server implements multiple spam filters

assp-user — General discussion for users of ASSP V1 and V2