Check if the output changed

In this use case, we use the Linux netstat command with the check_diff option to monitor for changes by listening to the network tcp sockets. Then, we create rules to generate alerts when there is a change in the tcp socket output.

Configuration

Linux endpoint

For this endpoint, we configure Wazuh to monitor the output of the Linux netstat command and alert when a change is detected.

Perform the following steps on the Linux endpoint.

  1. Install netstat on the Linux endpoint:

    $ sudo apt install net-tools

  2. Append the following configuration to the Wazuh agent /var/ossec/etc/ossec.conf file:

    <ossec_config>
  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
    <alias>netstat listening ports</alias>
    <frequency>360</frequency>
  </localfile>
</ossec_config>

    Where:

    • The full_command value of the <log_format> tag specifies the output of the command is read as multiple events.

    • The value of the <command> tag specifies the output of the command is read as a single event.

  3. Restart the Wazuh agent service to apply the changes:

    $ sudo systemctl restart wazuh-agent

Wazuh server

Wazuh has an out-of-the-box rule with ID 533 that generates an alert when there is a change in the netstat listening ports. The rule is defined below and is found in the Wazuh GitHub repository.

<rule id="533" level="7">
    <if_sid>530</if_sid>
    <match>ossec: output: 'netstat listening ports</match>
    <check_diff />
    <description>Listened ports status (netstat) changed (new port opened or closed).</description>
    <group>pci_dss_10.2.7,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>

Test the configuration

We trigger a port change in the Linux endpoint by changing the default ssh port from 22 to 2021. Follow the steps below to simulate this.

  1. Edit the ssh_config file:

    # nano /etc/ssh/ssh_config

  2. Add port 2021 as the new ssh port:

    #Port 22
Port 2021
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

  3. Restart the ssh service:

    # systemctl restart ssh

Visualize the alerts

Go to Modules > Security events tab on the Wazuh dashboard to visualize the alert showing the changes in the network.

Listened ports status (netcat) changed alert