Network Listeners (sec-network)
Monitors open network ports and reports listeners that are not on the whitelist. Detects unexpected services waiting for incoming connections.
Configuration
| Parameter | Type | Default | Description |
|---|
enabled | bool | true | Enable/disable module |
allowed_listeners | list | ["22/tcp"] | Allowed listeners in port/proto format |
unexpected_listener_severity | int | 1 | Severity for unexpected listeners (1=warning, 2=error) |
ignore_loopback | bool | true | Ignore loopback addresses (127.0.0.1) |
ignore_docker | bool | true | Ignore Docker networks |
YAML Example
sec_network:
enabled: true
allowed_listeners:
- "22/tcp"
- "443/tcp"
- "80/tcp"
unexpected_listener_severity: 2
ignore_loopback: true
ignore_docker: true
Diagnostic Codes
| Code | Severity | Meaning | Recommendation |
|---|
| 5002 | 1–2 | Unexpected network listener found | Identify the service, stop it or add to whitelist |
- Linux: Uses
ss to detect open ports.
- Windows: Uses
netstat or PowerShell cmdlets.