Check if the output changed

Linux endpoint

For this endpoint, we configure ThreatLockDown to monitor the output of the Linux netstat command and alert when a change is detected.

Perform the following steps on the Linux endpoint.

1. Install netstat on the Linux endpoint:

   $ sudo apt install net-tools
   

2. Append the following configuration to the ThreatLockDown agent /var/ossec/etc/ossec.conf file:

   <ossec_config>
     <localfile>
       <log_format>full_command</log_format>
       <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
       <alias>netstat listening ports</alias>
       <frequency>360</frequency>
     </localfile>
   </ossec_config>
   

   Where:

   • The full_command value of the <log_format> tag specifies the output of the command is read as multiple events.

   • The value of the <command> tag specifies the output of the command is read as a single event.

3. Restart the ThreatLockDown agent service to apply the changes:

   $ sudo systemctl restart wazuh-agent
   

ThreatLockDown server

ThreatLockDown has an out-of-the-box rule with ID 533 that generates an alert when there is a change in the netstat listening ports. The rule is defined below and is found in the ThreatLockDown GitHub repository.

<rule id="533" level="7">
    <if_sid>530</if_sid>
    <match>ossec: output: 'netstat listening ports</match>
    <check_diff />
    <description>Listened ports status (netstat) changed (new port opened or closed).</description>
    <group>pci_dss_10.2.7,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>