[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] Multiple messages refused based on timestamp only

Subject: [Ossec-list] Multiple messages refused based on timestamp only
From: daniel.cid at gmail.com (Daniel Cid)
Date: Thu, 6 Apr 2006 12:15:09 -0300

Hi Nico,

This is a known bug and I have a fix almost ready for that. The problem is that
when the agent generate a message, it adds a unix timestamp and an id
to it. However, the size of the Id field only allows a number up to 255.
So if you are sending more than 255 messages per second (from the agent
to the server), the id would become zero again and the server would
think it is a replayed message (and when this  happen, it will zero
its counts and drop a lot more of events from this agent). The purpose
of that was to avoid a replay attack, but it ended up causing this
problem.

For most of the systems it would be fine, because very few syslog systems
generate more than 255 messages per second. However, if you are analyzing
a firewall log (like you are) or a very busy apache or squid server,
this problem
happens.

I plan to release a new version of the ossec soon, containing a bunch of
fixes that were found recently (including a windows version). Btw, Thanks for
the report, it help us improve the system :)

--
Daniel B. Cid
dcid @ ( at ) ossec.net
http://www.ossec.net

On 4/6/06, Nico De Ranter <nico at sonycom.com> wrote:
>
> Hello again,
>
> I'm trying to use ossec to correlate logs from a few linux-based
> firewalls. I ran an nmap scan through one of the firewalls to see
> whether ossec would pick it up. The nmap scan was done in Aggressive
> mode to generate a lof of traffic (simulating a worm outbreak I had a
> few weeks ago on that network). Unfortunately when I look at the ossec
> log on the server it seems almost all messages from the firewall agent
> were dropped due to a similar timestamp
>
> 2006/04/06 11:29:25 shared(1407): Duplicated message time from
> '10.21.59.190'.
> 2006/04/06 11:29:25 ossec-remoted(1214): Problem receiving message from
> 10.21.59.190.
> [...]
>
> Shouldn't ossec look both at the timestamp and the content of the
> message to decide whether the packet is a duplicate. Of the 437 messages
> the agent tried to send to the server only 2 got through. Is there a way
> to make the server accept all messages? Or can I do some preprossing on
> the agent to turn down the number of messages send to the server?
>
> Nico
>
> --
> Nico De Ranter
> Senior System Administrator
> Sony Service Center (NSCE)
> The Corporate Village, Da Vincilaan 7-D1
> B-1935 Zaventem, Belgium
> Telephone: +32 (0)2 700 86 41 Fax: +32 (0)2 700 86 22
>
>
> _______________________________________________
> ossec-list mailing list
> ossec-list at ossec.net
> http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
>

References:
- [Ossec-list] Multiple messages refused based on timestamp only
  - From: Nico De Ranter

Prev by Date: [Ossec-list] Syscheck doesn't seem to work ?
Next by Date: [Ossec-list] ossec-hids-0.7p1 questions
Previous by thread: [Ossec-list] Multiple messages refused based on timestamp only
Next by thread: [Ossec-list] Syscheck doesn't seem to work ?
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.