AUDIT_DENIED_OPEN_PORTS

This check queries the list of open TCP/UDP ports on the target and compares them against a denied list of ports. The check relies on output from either “netstat –ano” or “netstat –an” to get a list of open ports, and then verifies that the ports are indeed open by verifying the port state using (get_port_state()/get_udp_port_state()).

Usage

<custom_item>

type: AUDIT_DENIED_OPEN_PORTS

description: "Audit Denied Open Ports"

value_type: [value_type]

value_data: [value]

port_type: [port_type]

<item>

The allowed types are:

  • value_type: POLICY_PORTS
  • value_data: "80,135,445,902,912,1024,1025,3389,5900,8[0-9]+,18208,32111,38311,47001,139"
  • port_type: TCP or UDP

Considerations:

  • value_data also accepts a regex as a port range, so something like 8[0-9]+ works as well.

Examples

The following example compares value_data against a list of TCP ports open on the target.

<custom_item>

type: AUDIT_DENIED_OPEN_PORTS

description: "Audit TCP OPEN PORTS"

value_type: POLICY_PORTS

value_data: "80,443"

port_type: TCP

</custom_item>

The following example compares value_data against a list of UDP ports open on the target.

<custom_item>

type: AUDIT_DENIED_OPEN_PORTS

description: "Audit UDP OPEN PORTS"

value_type: POLICY_PORTS

value_data: "161,5353"

port_type: UDP

</custom_item>