Page 1 of 1

OSSEC Agent specific port instead of random port

Posted: Fri May 28, 2021 7:01 am
by mmudabbir
Hello,

For client server communication ossec agent connects using random hgih port. I want to specify a prot for the client rather than random ports.

Is it possible? and how can i achieve it?

Re: OSSEC Agent specific port instead of random port

Posted: Fri May 28, 2021 2:26 pm
by mikeshinn
When you mean random port, do you mean the port the agent is trying to connect to? That should be 1514 by default.

If you mean the port the client computer uses to establish the connection, thats controlled by the operating system. Its going to use a high port thats not in use by another outbound connection.

Is there some reason you want to constrain that to a specific port?

Re: OSSEC Agent specific port instead of random port

Posted: Mon May 31, 2021 5:01 am
by mmudabbir
Hello,

Yes I mean the port client computer uses to establish connection, that are unused high ports.

There is a limitation of network architecture from layer 3. Only specifics ports are allowed to be used and all the other ports are blocked.
The range of ports are usually from 49152-65535 which is not feasible to be open or even be unused as per IT policies.

It is then proposed that we should work on agent to specify the ports. I suppose these amendments might be done in the code files of the agent. Am I right? Any help would be great.

Plus I have been working with the agent from more than a year so feel free to propose any complex solution.

Regards,

Re: OSSEC Agent specific port instead of random port

Posted: Tue Jun 01, 2021 2:55 pm
by scott
You can set the ephemeral port range in linux with sysctl or /proc:

https://tldp.org/LDP/solrhe/Securing-Op ... sec70.html

Re: OSSEC Agent specific port instead of random port

Posted: Tue Jun 01, 2021 3:05 pm
by mikeshinn
Yeah, thats a better option as the OS is what sets the outbound normally.

Re: OSSEC Agent specific port instead of random port

Posted: Wed Jun 02, 2021 3:08 am
by mmudabbir
Thank you for the response !

Actually i have tried this for windows and the range of ports that will be open is 250 or more.
Below is what I followed.
https://docs.microsoft.com/en-us/troubl ... cpip-chang

What my problem is that It has to be deployed in restricted environment with network limitation and only few ports are allowed to be open on client(end host) and server both.

I think this change will be possible by editing the code files of ossec agent and do amendments to use only specific ports. If anyone of you can help me find the actual code files where ports used are assigned, that will be great.

Regards,

Re: OSSEC Agent specific port instead of random port

Posted: Fri Jun 04, 2021 10:50 am
by scott
That would only be able to control the dst port, the src port is something you have to control from the IP stack in the OS.