Hi-- I'm wrestling with the PORTS option of a host, trying to watch
for a specific issue.
While I have successfully matched rule(s) for simple things like SSH
port(s) listening, I cannot seem to get a rule to match the following:
We have a stupid java server thing that keeps leaving ports in a
close_wait state. See example below.
What rule would I use for watching for these? I'm trying something
along the lines of:
HOST=starr.brc.mcw.edu
PORT "REMOTE=%*.8085" STATE=CLOSE_WAIT max=20 color=red
TRACK=hung TEXT=hung
But it never matches. I've tried lots of variations.
Any help appreciated!! (goal: If I see more than "N" number of these
ports, I want to flag red)