[Ossec-list] No response from server to agent

[daniel.cid at gmail.com (Daniel Cid)]

Hi Alberto,

I don't know what may be your problem, but can you try the following
tests for me?

1- Look at /var/ossec/logs/alerts/2006/May/ossec-alerts-23.log
on your server and see if any alert is being generated when you
send a lot of the TCP_DENIED logs to the server. If the alerts is
being generated, then your authentication keys are correct.

2-Do you get the e-mail alerts for the multiple TCP_DENIED errors?

3-If you are not getting alerts, make sure of the following:
-there is no firewall between the server and the client.
-If there is a firewall, make sure to open port 1514 UDP.
-Remember that tcpdump reads before iptables. So even if you
can see on tcpdump, does not garantee that the firewall is
allowing it.
-Make sure the server-ip on the agent is correct and that
you added the right agent IP on the server.
-If the firewall is not a problem, re-generate the authentication
keys using the manage_agents. Just go to the server, and
extract the keys from your agent. On your agent, past this
key in the import option of the manage_agents.

4-If you are getting alerts, but the response is not being executed,
try the following (on your agent):

/var/ossec/active-response/bin/firewall-drop.sh add "null" 1.2.3.4

And see if the IP 1.2.3.4 is being added to the drop list on iptables.
You can also look at
/var/ossec/active-response/ossec-hids-responses.log
For the active response logs.

Let us know how these tests go...

Thanks,

--
Daniel B. Cid
dcid @ ( at ) ossec.net




On 5/23/06, alberto.avi at gmail.com <alberto.avi at gmail.com> wrote:
> Hi Ahmet,
>     thank you for the suggestion.
>
> ahmet ozturk wrote:
> > Hi Alberto,
> >
> > "TCP_DENIED/407" is matched with rule 5007 in squid rules,
> > and it's alert level is 5. However, in ossec.conf, it's defined
> > that the active-response is used if alert level >= 6. (Please see below
> > for the related configuration file part)
> > Btw, there's another rule (5052), which is fired if rule 5007 was fired
> > 8 times in 2 minutes for the same source IP address and it's alert
> > level is 10.
> >
> > I mean, if you just get "TCP_DENIED/407" once, ossec-hids will
> > generate an alert with level 5,
> > (5007) and default configuration won't use active-response because
> > it's configured for rules
> > with level >=6.
> > If you get the same "TCP_DENIED/407" for the same ip at least 8 times
> > in a 2 min. timeframe,
> > ossec-hids will generate an alert with level 10 (5052), and now
> > active-response will be used.
> In the Squid access.log I generate about 20-30 lines of TCP_DENIED/407
> for every test case that I'm runnig.
> In this situation the rule 5052 should be fired.
> > Now you have chance to change this behaviour:
> > * you may edit ossec.conf file, and decrease the level at which
> > active-respnse is used.
> >   (Please read docs/rules.txt in source directory for alert levels)
> > * you may also edit squid_rules.xml file and increase level for rule 5007
> > * and also you may change the SQUID_FREQ(=8) in rule 5052 in order to
> > decrease the
> >   required number of entries for the same source ip to fire this rule.
> >
> > related part
> > ----
> > <command>firewall-drop</command>
> > <location>defined-agent</location>
> > <agent_id>001</agent_id>
> > <level>6</level>                     <----change this------
> I tried <level>1</level> but no rule is loaded in iptables. :-(
> > <timeout>60</timeout>
> > </active-response>
> > ----
> >
> > I hope this helps.
> >
> > Regards,
> >
> > Ahmet Ozturk.
>
> Could be a certificate communication error between agent and server ?
> I tried to regenerate the certificate on server and import it in the
> agent whithout success.
>
> Thank you for you help.
>
> Alberto.
> _______________________________________________
> ossec-list mailing list
> ossec-list at ossec.net
> http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
>