AUDIT_ALLOWED_OPEN_PORTS

This check queries the list of open TCP/UDP ports on the target and compares them against an allowed list of ports. The check relies on output from either “netstat –ano” or “netstat –an” to get a list of open ports, and then verifies that the ports are indeed open by verifying the port state using (get_port_state()/get_udp_port_state()).

Usage

<custom_item>

type: AUDIT_ALLOWED_OPEN_PORTS

description: "Audit Open Ports"

value_type: [value_type]

value_data: [value]

port_type: [port_type]

<item>

Considerations:

  • value_data also accepts a regex as a port range, so something like 8[0-9]+ works as well.

Examples

The following example compares value_data against a list of TCP ports open on the target:

<custom_item>

type: AUDIT_ALLOWED_OPEN_PORTS

description: "Audit TCP OPEN PORTS"

value_type: POLICY_PORTS

value_data: "80,135,445,902,912,1024,1025,3389,5900,8[0-

9]+,18208,32111,38311,47001,139"

port_type: TCP

</custom_item>

The following example compares value_data against a list of UDP ports open on the target:

<custom_item>

type: AUDIT_ALLOWED_OPEN_PORTS

description: "Audit UDP OPEN PORTS"

value_type: POLICY_PORTS

value_data: "161,445,500,1026,4501,123,137,138,5353"

port_type: UDP

</custom_item>