PORTs help?

Brodie, Kent brodie at mcw.edu
Tue Jul 11 23:37:26 CEST 2006 

Hi--    I'm wrestling with the PORTS option of a host, trying to watch
for a specific issue.

While I have successfully matched rule(s) for simple things like SSH
port(s) listening, I cannot seem to get a rule to match the following:

We have a stupid java server thing that keeps leaving ports in a
close_wait state.   See example below.  

What rule would I use for watching for these?   I'm trying something
along the lines of:

HOST=starr.brc.mcw.edu
        PORT "REMOTE=%*.8085" STATE=CLOSE_WAIT max=20 color=red
TRACK=hung TEXT=hung

But it never matches.   I've tried lots of variations.     

Any help appreciated!!  (goal:  If I see more than "N" number of these
ports, I want to flag red)



Tue Jul 11 16:30:46 CDT 2006 - Ports NOT ok
 hung (found 0, req. between 1 and 20)		<== this is the rule
that doesn't work..

 ssh (found 7, req. 1 or more)

   Local Address        Remote Address    Swind Send-Q Rwind Recv-Q
State
-------------------- -------------------- ----- ------ ----- ------
-------
127.0.0.1.50447      127.0.0.1.6100       49152      0 49152      0
ESTABLISHED
127.0.0.1.6100       127.0.0.1.50447      49152      0 49152      0
ESTABLISHED
      *.3003               *.*                0      0 49152      0
LISTEN
127.0.0.1.50448      127.0.0.1.6100       49152      0 49152      0
ESTABLISHED
127.0.0.1.6100       127.0.0.1.50448      49152      0 49152      0
ESTABLISHED
127.0.0.1.50449      127.0.0.1.6100       49152      0 49152      0
ESTABLISHED
127.0.0.1.6100       127.0.0.1.50449      49152      0 49152      0
ESTABLISHED
127.0.0.1.50457      127.0.0.1.6100       49152      0 49152      0
ESTABLISHED
127.0.0.1.6100       127.0.0.1.50457      49152      0 49152      0
ESTABLISHED
141.106.224.175.50533 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.51260 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.54844 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.55651 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.56483 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.57541 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.58667 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.37218 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.38052 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.39008 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.39872 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.40498 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.49005 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.49750 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.50382 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.51211 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.52210 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.59122 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.59721 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.60606 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.61293 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.61992 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.38432 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.39131 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.39752 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.40451 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.41008 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.50174 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.50782 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.51399 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.52041 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.52717 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.64337 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.64991 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.39232 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.39877 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.40560 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.41289 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.42002 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.49473 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.50084 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.50681 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.51227 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.51784 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.58596 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.59169 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.59728 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.60321 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.32820 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.33395 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.33956 141.106.224.175.8085 49152      0 49152      0

More information about the Xymon mailing list