[Ossec-list] No response from server to agent

[alberto.avi at gmail.com (alberto.avi at gmail.com)]

Hello Daniel,
    I'm very happy to read your suggestions !
I see the light to the end to the tunnel.

Daniel Cid wrote:
> Hi Alberto,
>
> I think I know what is going on there... It's really a bug.
>
> -When ossec receives the logs, it will remove the date, so in the
> case of squid, it will remove up to the point of "1148464015.233"
>
> -After it removes the dates, it checks if the message is duplicated.
> However, when checking for the duplicates, we ignore the first
> word. We do this because in the case of a syslog message, it
> will have the process[pid] and the pid generally changes. It is
> useful for some cases (like ssh messages, where both the parent
> and child process log the same thing).
>
> -So on your case, we are only looking only for:
>
> 10.182.35.253 TCP_DENIED/407 1726 GET http://www.google.com/ - NONE/- 
> text/html
> 10.182.35.253 TCP_DENIED/407 1726 GET http://www.google.com/ - NONE/- 
> text/html
> 10.182.35.253 TCP_DENIED/407 1726 GET http://www.google.com/ - NONE/- 
> text/html
>
> Which are all the same, so ossec thinks they are duplicate and don't
> process them....
> If you try different requests (for different pages for example), it will
> work.
>
I tried different request and it work very well in this case.
This is an example of (a very nice) notification:

OSSEC HIDS Notification.
2006 May 26 10:30:35

Received From: (nabas.usinet.it) 10.182.35.249->/usr/local/prod/squid-2.5.STABLE12/var/logs/access.log
Rule: 5052 fired (level 10) -> "Multiple unauthorized attempts to use proxy.'"
Portion of the log(s):

118 10.182.35.253 TCP_DENIED/407 1714 GET http://www.ccc.it/ - NONE/- text/html
895 10.182.35.253 TCP_DENIED/407 1714 GET http://www.bbb.it/ - NONE/- text/html
559 10.182.35.253 TCP_DENIED/407 1714 GET http://www.aaa.it/ - NONE/- text/html



 --END OF NOTIFICATION

> I will release a new patch version with this fix soon (including others).
>
> For now, you may want to go to:
> src/analysisd/analysisd.c
>
> And go to the line 611 and comment the following block:
>
> /*
> if(LastMsg_Stats(lf->log) == 1)
>                goto CLMEM;
>            else
>                LastMsg_Change(lf->log);
> */
>
I modified the code and rebuild the deamon but the result is the same as 
in the past.
Infact if the requests to Squid are the same, the alert-level 10 is 
never fired.
I tried to look at the code but I'm not a programmer, sigh. :-(

> After that, go to src/analysisd and type "make" and then copy
> ossec-analysisd to /var/ossec/bin/ (on the server side).
>
> # cd src/analysisd
> # make
> # cp -pr ossec-analysisd /var/ossec/bin
> # /var/ossec/bin/ossec-control restart
>
> Let me know if it helps.
>
> Thanks,
>
> -- 
> Daniel B. Cid
> dcid @ ( at ) ossec.net

Thanks a lot for you help.

Alberto Avi.