Check if the output changed

In this use case, we use the Linux netstat command with the check_diff option to monitor for changes by listening to the network tcp sockets. Then, we create rules to generate alerts when there is a change in the tcp socket output.

Configuration

Linux endpoint

For this endpoint, we configure ThreatLockDown to monitor the output of the Linux netstat command and alert when a change is detected.

Perform the following steps on the Linux endpoint.

  1. Install netstat on the Linux endpoint:

    $ sudo apt install net-tools
    
  2. Append the following configuration to the ThreatLockDown agent /var/ossec/etc/ossec.conf file:

    <ossec_config>
      <localfile>
        <log_format>full_command</log_format>
        <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
        <alias>netstat listening ports</alias>
        <frequency>360</frequency>
      </localfile>
    </ossec_config>
    

    Where:

    • The full_command value of the <log_format> tag specifies the output of the command is read as multiple events.

    • The value of the <command> tag specifies the output of the command is read as a single event.

  3. Restart the ThreatLockDown agent service to apply the changes:

    $ sudo systemctl restart wazuh-agent
    

ThreatLockDown server

ThreatLockDown has an out-of-the-box rule with ID 533 that generates an alert when there is a change in the netstat listening ports. The rule is defined below and is found in the ThreatLockDown GitHub repository.

<rule id="533" level="7">
    <if_sid>530</if_sid>
    <match>ossec: output: 'netstat listening ports</match>
    <check_diff />
    <description>Listened ports status (netstat) changed (new port opened or closed).</description>
    <group>pci_dss_10.2.7,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>

Test the configuration

We trigger a port change in the Linux endpoint by changing the default ssh port from 22 to 2021. Follow the steps below to simulate this.

  1. Edit the ssh_config file:

    # nano /etc/ssh/ssh_config
    
  2. Add port 2021 as the new ssh port:

    #Port 22
    Port 2021
    #AddressFamily any
    #ListenAddress 0.0.0.0
    #ListenAddress ::
    
  3. Restart the ssh service:

    # systemctl restart ssh
    

Visualize the alerts

Go to Threat Hunting module on the ThreatLockDown dashboard to visualize the alert showing the changes in the network.

Listened ports status (netcat) changed alert