[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] No response from server to agent

Subject: [Ossec-list] No response from server to agent
From: alberto.avi at gmail.com (alberto.avi at gmail.com)
Date: Tue, 23 May 2006 10:01:58 +0200

Hello,

    I'm tryng to use the client/server approach for OSSEC HIDS v0.8 .
On the client (agent ID 001) I defined a single squid log file to monitor:

    <ossec_config>
      <client>
        <server-ip>10.182.32.10</server-ip>
      </client>
      <localfile>
        <log_format>squid</log_format>
        
<location>/usr/local/prod/squid-2.5.STABLE12/var/logs/access.log</location>
      </localfile>
    </ossec_config>

On the server I have configured a single activer-response for the agent 
ID 001.
In the future I'll have many agents so it's very important for me to try 
this case.

    <ossec_config>
      <global>
        <email_notification>yes</email_notification>
        <email_to>alberto.avi at ugis.unicredit.it</email_to>
        <smtp_server>10.182.35.244</smtp_server>
        <email_from>ossecm at usmgml201.usinet.it</email_from>
      </global>

      <rules>
        <include>rules_config.xml</include>
        <include>squid_rules.xml</include>
      </rules>

      <global>
        <white_list>127.0.0.1</white_list>
      </global>

      <remote>
        <connection>syslog</connection>
      </remote>
      <remote>
        <connection>secure</connection>
      </remote>

      <alerts>
        <log_alert_level>1</log_alert_level>
        <email_alert_level>7</email_alert_level>
      </alerts>

      <command>
        <name>host-deny</name>
        <executable>host-deny.sh</executable>
        <expect>srcip</expect>
        <timeout_allowed>yes</timeout_allowed>
      </command>
      <command>
        <name>firewall-drop</name>
        <executable>firewall-drop.sh</executable>
        <expect>srcip</expect>
        <timeout_allowed>yes</timeout_allowed>
      </command>

      <active-response>
        <command>host-deny</command>
        <location>defined-agent</location>
        <agent_id>001</agent_id>
        <level>6</level>
        <timeout>60</timeout>
      </active-response>
      <active-response>
        <command>firewall-drop</command>
        <location>defined-agent</location>
        <agent_id>001</agent_id>
        <level>6</level>
        <timeout>60</timeout>
      </active-response>

      <localfile>
        <log_format>syslog</log_format>
        <location>/var/log/messages</location>
      </localfile>

    </ossec_config>

'tcpdump -X -s 1500 -v udp port 1514' on the server say me that the 
agent is speaking to the server when I generate some "TCP_DENIED/407" on 
my proxy.

The problem is that I never see the active-response network traffic from 
server to agent to drop the srcip at iptables level on the agent machine.

In the log file I don't found any useful information (for me).

server side:
2006/05/23 09:58:25 ossec-maild: Started (pid: 14825).
2006/05/23 09:58:25 ossec-execd: Started (pid: 14829).
2006/05/23 09:58:25 ossec-analysisd: Reading rules file: 'rules_config.xml'
2006/05/23 09:58:25 ossec-analysisd: Reading rules file: 'squid_rules.xml'
2006/05/23 09:58:25 ossec-analysisd: Total rules enabled: '23'
2006/05/23 09:58:25 ossec-analysisd: 1 IPs in the white list for active 
response.
2006/05/23 09:58:25 ossec-analysisd: Started (pid: 14833).
2006/05/23 09:58:25 ossec-remoted: Started (pid: 14841).
2006/05/23 09:58:25 ossec-remoted(1501): No IP or network allowed in the 
access list for syslog. No reason for running it. Exiting.
2006/05/23 09:58:25 ossec-remoted: Started (pid: 14844).
2006/05/23 09:58:28 ossec-analysisd: Connected to '/queue/alerts/ar' 
(active-response queue)
2006/05/23 09:58:28 ossec-syscheckd: Started (pid: 14849).
2006/05/23 09:58:28 ossec-syscheckd: No directories to check.
2006/05/23 09:58:31 ossec-logcollector(1950): Analyzing file: 
'/var/log/messages'.
2006/05/23 09:58:31 ossec-logcollector: Started (pid: 14837).

agent side:
2006/05/23 09:33:00 ossec-execd: Started (pid: 15555).
2006/05/23 09:33:00 ossec-agentd: Started (pid: 15559).
2006/05/23 09:33:04 ossec-syscheckd: Started (pid: 15572).
2006/05/23 09:33:04 ossec-syscheckd: No directories to check.
2006/05/23 09:33:06 ossec-logcollector(1950): Analyzing file: 
'/usr/local/prod/squid-2.5.STABLE12/var/logs/access.log'.
2006/05/23 09:33:06 ossec-logcollector: Started (pid: 15563).
2006/05/23 09:34:06 ossec-rootcheck: No rootcheck_files file configured.
2006/05/23 09:34:06 ossec-rootcheck: No rootcheck_trojans file configured.


Can you help me ? Thanks.


In the past I used local-installation and I think that OSSEC HIDS is a 
very very intersting and intelligent software product.
Many thanks to Daniel Cid who first speak me about it !
Thank you for your incredible job and for your time.

Alberto Avi

Follow-Ups:
- [Ossec-list] No response from server to agent
  - From: ahmet ozturk

Prev by Date: [Ossec-list] adduser problem in latest OSSEC
Next by Date: [Ossec-list] No response from server to agent
Previous by thread: [Ossec-list] adduser problem in latest OSSEC
Next by thread: [Ossec-list] No response from server to agent
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.