[Ossec-list] No response from server to agent

[daniel.cid at gmail.com (Daniel Cid)]

Hi Alberto,

Thanks for trying this. I will send a new package to you with these
fixes later today (maximum tomorrow). I'm just doing some final
testing before releasing it.

Thanks,

--
Daniel B. Cid
dcid @ ( at ) ossec.net

On 5/26/06, alberto.avi at gmail.com <alberto.avi at gmail.com> wrote:
> Hello Daniel,
>     I'm very happy to read your suggestions !
> I see the light to the end to the tunnel.
>
> Daniel Cid wrote:
> > Hi Alberto,
> >
> > I think I know what is going on there... It's really a bug.
> >
> > -When ossec receives the logs, it will remove the date, so in the
> > case of squid, it will remove up to the point of "1148464015.233"
> >
> > -After it removes the dates, it checks if the message is duplicated.
> > However, when checking for the duplicates, we ignore the first
> > word. We do this because in the case of a syslog message, it
> > will have the process[pid] and the pid generally changes. It is
> > useful for some cases (like ssh messages, where both the parent
> > and child process log the same thing).
> >
> > -So on your case, we are only looking only for:
> >
> > 10.182.35.253 TCP_DENIED/407 1726 GET http://www.google.com/ - NONE/-
> > text/html
> > 10.182.35.253 TCP_DENIED/407 1726 GET http://www.google.com/ - NONE/-
> > text/html
> > 10.182.35.253 TCP_DENIED/407 1726 GET http://www.google.com/ - NONE/-
> > text/html
> >
> > Which are all the same, so ossec thinks they are duplicate and don't
> > process them....
> > If you try different requests (for different pages for example), it will
> > work.
> >
> I tried different request and it work very well in this case.
> This is an example of (a very nice) notification:
>
> OSSEC HIDS Notification.
> 2006 May 26 10:30:35
>
> Received From: (nabas.usinet.it) 10.182.35.249->/usr/local/prod/squid-2.5.STABLE12/var/logs/access.log
> Rule: 5052 fired (level 10) -> "Multiple unauthorized attempts to use proxy.'"
> Portion of the log(s):
>
> 118 10.182.35.253 TCP_DENIED/407 1714 GET http://www.ccc.it/ - NONE/- text/html
> 895 10.182.35.253 TCP_DENIED/407 1714 GET http://www.bbb.it/ - NONE/- text/html
> 559 10.182.35.253 TCP_DENIED/407 1714 GET http://www.aaa.it/ - NONE/- text/html
>
>
>
>  --END OF NOTIFICATION
>
> > I will release a new patch version with this fix soon (including others).
> >
> > For now, you may want to go to:
> > src/analysisd/analysisd.c
> >
> > And go to the line 611 and comment the following block:
> >
> > /*
> > if(LastMsg_Stats(lf->log) == 1)
> >                goto CLMEM;
> >            else
> >                LastMsg_Change(lf->log);
> > */
> >
> I modified the code and rebuild the deamon but the result is the same as
> in the past.
> Infact if the requests to Squid are the same, the alert-level 10 is
> never fired.
> I tried to look at the code but I'm not a programmer, sigh. :-(
>
> > After that, go to src/analysisd and type "make" and then copy
> > ossec-analysisd to /var/ossec/bin/ (on the server side).
> >
> > # cd src/analysisd
> > # make
> > # cp -pr ossec-analysisd /var/ossec/bin
> > # /var/ossec/bin/ossec-control restart
> >
> > Let me know if it helps.
> >
> > Thanks,
> >
> > --
> > Daniel B. Cid
> > dcid @ ( at ) ossec.net
>
> Thanks a lot for you help.
>
> Alberto Avi.
>