AUDIT_DENIED_OPEN_PORTS
This check queries the list of open TCP/UDP ports on the target and compares them against a denied list of ports. The check relies on output from either “netstat –ano” or “netstat –an” to get a list of open ports, and then verifies that the ports are indeed open by verifying the port state using (get_port_state()/get_udp_port_state()).
Usage
<custom_item>
type: AUDIT_DENIED_OPEN_PORTS
description: "Audit Denied Open Ports"
value_type: [value_type]
value_data: [value]
port_type: [port_type]
<item>
The allowed types are:
value_type: POLICY_PORTSvalue_data: "80,135,445,902,912,1024,1025,3389,5900,8[0-9]+,18208,32111,38311,47001,139"port_type: TCP or UDP
Considerations:
value_dataalso accepts a regex as a port range, so something like 8[0-9]+ works as well.
Examples
The following example compares value_data against a list of TCP ports open on the target.
<custom_item>
type: AUDIT_DENIED_OPEN_PORTS
description: "Audit TCP OPEN PORTS"
value_type: POLICY_PORTS
value_data: "80,443"
port_type: TCP
</custom_item>
The following example compares value_data against a list of UDP ports open on the target.
<custom_item>
type: AUDIT_DENIED_OPEN_PORTS
description: "Audit UDP OPEN PORTS"
value_type: POLICY_PORTS
value_data: "161,5353"
port_type: UDP
</custom_item>