Check if the output changed

In this use case, we use the Linux netstat command with the check_diff option to monitor for changes by listening to the network tcp sockets. Then, we create rules to generate alerts when there is a change in the tcp socket output.


Linux endpoint

For this endpoint, we configure Wazuh to monitor the output of the Linux netstat command and alert when a change is detected.

Perform the following steps on the Linux endpoint.

  1. Install netstat on the Linux endpoint:

    $ sudo apt install net-tools
  2. Append the following configuration to the Wazuh agent /var/ossec/etc/ossec.conf file:

        <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
        <alias>netstat listening ports</alias>


    • The full_command value of the <log_format> tag specifies the output of the command is read as multiple events.

    • The value of the <command> tag specifies the output of the command is read as a single event.

  3. Restart the Wazuh agent service to apply the changes:

    $ sudo systemctl restart wazuh-agent

Wazuh server

Wazuh has an out-of-the-box rule with ID 533 that generates an alert when there is a change in the netstat listening ports. The rule is defined below and is found in the Wazuh GitHub repository.

<rule id="533" level="7">
    <match>ossec: output: 'netstat listening ports</match>
    <check_diff />
    <description>Listened ports status (netstat) changed (new port opened or closed).</description>

Test the configuration

We trigger a port change in the Linux endpoint by changing the default ssh port from 22 to 2021. Follow the steps below to simulate this.

  1. Edit the ssh_config file:

    # nano /etc/ssh/ssh_config
  2. Add port 2021 as the new ssh port:

    #Port 22
    Port 2021
    #AddressFamily any
    #ListenAddress ::
  3. Restart the ssh service:

    # systemctl restart ssh

Visualize the alerts

Go to Modules > Security events tab on the Wazuh dashboard to visualize the alert showing the changes in the network.

Listened ports status (netcat) changed alert