Brodie, Kent wrote:
Hi-- I'm wrestling with the PORTS option of a host, trying to watch for a specific issue.
While I have successfully matched rule(s) for simple things like SSH port(s) listening, I cannot seem to get a rule to match the following:
We have a stupid java server thing that keeps leaving ports in a close_wait state. See example below.
What rule would I use for watching for these? I'm trying something along the lines of:
HOST=starr.brc.mcw.edu PORT "REMOTE=%*.8085" STATE=CLOSE_WAIT max=20 color=red TRACK=hung TEXT=hung
But it never matches. I've tried lots of variations.
Any help appreciated!! (goal: If I see more than "N" number of these ports, I want to flag red)
I believe your regular expression is wrong. Try: PORT "REMOTE=%.*\.8085" STATE=CLOSE_WAIT max=20 color=red TRACK=hung TEXT=hung
Alternatively, you can instead of using a regular expression, use a wildcard instead: PORT "REMOTE=*.8085" STATE=CLOSE_WAIT max=20 color=red TRACK=hung TEXT=hung
-Charles