[Ossec-list] Multiple messages refused based on timestamp only

[daniel.cid at gmail.com (Daniel Cid)]

Hi Nico,

This problem should be fixed in the just released 0.8beta version. Do you mind
testing it and letting us know how it goes?

Beta information:
http://mailman.underlinux.com.br/pipermail/ossec-list/2006-May/000107.html

Thanks,

Daniel

On 4/6/06, Nico De Ranter <nico at sonycom.com> wrote:
>
> Hello again,
>
> I'm trying to use ossec to correlate logs from a few linux-based
> firewalls. I ran an nmap scan through one of the firewalls to see
> whether ossec would pick it up. The nmap scan was done in Aggressive
> mode to generate a lof of traffic (simulating a worm outbreak I had a
> few weeks ago on that network). Unfortunately when I look at the ossec
> log on the server it seems almost all messages from the firewall agent
> were dropped due to a similar timestamp
>
> 2006/04/06 11:29:25 shared(1407): Duplicated message time from
> '10.21.59.190'.
> 2006/04/06 11:29:25 ossec-remoted(1214): Problem receiving message from
> 10.21.59.190.
> [...]
>
> Shouldn't ossec look both at the timestamp and the content of the
> message to decide whether the packet is a duplicate. Of the 437 messages
> the agent tried to send to the server only 2 got through. Is there a way
> to make the server accept all messages? Or can I do some preprossing on
> the agent to turn down the number of messages send to the server?
>
> Nico
>
> --
> Nico De Ranter
> Senior System Administrator
> Sony Service Center (NSCE)
> The Corporate Village, Da Vincilaan 7-D1
> B-1935 Zaventem, Belgium
> Telephone: +32 (0)2 700 86 41 Fax: +32 (0)2 700 86 22
>
>
> _______________________________________________
> ossec-list mailing list
> ossec-list at ossec.net
> http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
>