AUDIT_ALLOWED_OPEN_PORTS
This check queries the list of open TCP/UDP ports on the target and compares them against an allowed list of ports. The check relies on output from either “netstat –ano” or “netstat –an” to get a list of open ports, and then verifies that the ports are indeed open by verifying the port state using (get_port_state()/get_udp_port_state()).
Usage
<custom_item>
type: AUDIT_ALLOWED_OPEN_PORTS
description: "Audit Open Ports"
value_type: [value_type]
value_data: [value]
port_type: [port_type]
<item>
Considerations:
-
value_data
also accepts a regex as a port range, so something like 8[0-9]+ works as well.
Examples
The following example compares value_data
against a list of TCP ports open on the target:
<custom_item>
type: AUDIT_ALLOWED_OPEN_PORTS
description: "Audit TCP OPEN PORTS"
value_type: POLICY_PORTS
value_data: "80,135,445,902,912,1024,1025,3389,5900,8[0-
9]+,18208,32111,38311,47001,139"
port_type: TCP
</custom_item>
The following example compares value_data
against a list of UDP ports open on the target:
<custom_item>
type: AUDIT_ALLOWED_OPEN_PORTS
description: "Audit UDP OPEN PORTS"
value_type: POLICY_PORTS
value_data: "161,445,500,1026,4501,123,137,138,5353"
port_type: UDP
</custom_item>