[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] No response from server to agent

Subject: [Ossec-list] No response from server to agent
From: alberto.avi at gmail.com (alberto.avi at gmail.com)
Date: Tue, 23 May 2006 14:44:15 +0200

Hi Ahmet,
    thank you for the suggestion.

ahmet ozturk wrote:
> Hi Alberto,
>
> "TCP_DENIED/407" is matched with rule 5007 in squid rules,
> and it's alert level is 5. However, in ossec.conf, it's defined
> that the active-response is used if alert level >= 6. (Please see below
> for the related configuration file part)
> Btw, there's another rule (5052), which is fired if rule 5007 was fired
> 8 times in 2 minutes for the same source IP address and it's alert 
> level is 10.
>
> I mean, if you just get "TCP_DENIED/407" once, ossec-hids will 
> generate an alert with level 5,
> (5007) and default configuration won't use active-response because 
> it's configured for rules
> with level >=6.
> If you get the same "TCP_DENIED/407" for the same ip at least 8 times 
> in a 2 min. timeframe,
> ossec-hids will generate an alert with level 10 (5052), and now 
> active-response will be used.
In the Squid access.log I generate about 20-30 lines of TCP_DENIED/407 
for every test case that I'm runnig.
In this situation the rule 5052 should be fired.
> Now you have chance to change this behaviour:
> * you may edit ossec.conf file, and decrease the level at which 
> active-respnse is used.
>   (Please read docs/rules.txt in source directory for alert levels)
> * you may also edit squid_rules.xml file and increase level for rule 5007
> * and also you may change the SQUID_FREQ(=8) in rule 5052 in order to 
> decrease the
>   required number of entries for the same source ip to fire this rule.
>
> related part
> ----
> <command>firewall-drop</command>
> <location>defined-agent</location>
> <agent_id>001</agent_id>
> <level>6</level>                     <----change this------
I tried <level>1</level> but no rule is loaded in iptables. :-(
> <timeout>60</timeout>
> </active-response>
> ----
>
> I hope this helps.
>
> Regards,
>
> Ahmet Ozturk.

Could be a certificate communication error between agent and server ?
I tried to regenerate the certificate on server and import it in the 
agent whithout success.

Thank you for you help.

Alberto.

Follow-Ups:
- [Ossec-list] No response from server to agent
  - From: Daniel Cid

References:
- [Ossec-list] No response from server to agent
  - From: alberto.avi at gmail.com
- [Ossec-list] No response from server to agent
  - From: ahmet ozturk

Prev by Date: [Ossec-list] FIFO files and Agent/Server updates
Next by Date: [Ossec-list] FIFO files and Agent/Server updates
Previous by thread: [Ossec-list] No response from server to agent
Next by thread: [Ossec-list] No response from server to agent
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.