[Ossec-list] No response from server to agent

[alberto.avi at gmail.com (alberto.avi at gmail.com)]

alberto.avi at gmail.com wrote:
> Hello Daniel,
>    I'm very happy to read your suggestions !
> I see the light to the end to the tunnel.
>
> Daniel Cid wrote:
>> Hi Alberto,
>>
>> I think I know what is going on there... It's really a bug.
>>
>> -When ossec receives the logs, it will remove the date, so in the
>> case of squid, it will remove up to the point of "1148464015.233"
>>
>> -After it removes the dates, it checks if the message is duplicated.
>> However, when checking for the duplicates, we ignore the first
>> word. We do this because in the case of a syslog message, it
>> will have the process[pid] and the pid generally changes. It is
>> useful for some cases (like ssh messages, where both the parent
>> and child process log the same thing).
>>
>> -So on your case, we are only looking only for:
>>
>> 10.182.35.253 TCP_DENIED/407 1726 GET http://www.google.com/ - NONE/- 
>> text/html
>> 10.182.35.253 TCP_DENIED/407 1726 GET http://www.google.com/ - NONE/- 
>> text/html
>> 10.182.35.253 TCP_DENIED/407 1726 GET http://www.google.com/ - NONE/- 
>> text/html
>>
>> Which are all the same, so ossec thinks they are duplicate and don't
>> process them....
>> If you try different requests (for different pages for example), it will
>> work.
>>
> I tried different request and it work very well in this case.
> This is an example of (a very nice) notification:
>
> OSSEC HIDS Notification.
> 2006 May 26 10:30:35
>
> Received From: (nabas.usinet.it) 
> 10.182.35.249->/usr/local/prod/squid-2.5.STABLE12/var/logs/access.log
> Rule: 5052 fired (level 10) -> "Multiple unauthorized attempts to use 
> proxy.'"
> Portion of the log(s):
>
> 118 10.182.35.253 TCP_DENIED/407 1714 GET http://www.ccc.it/ - NONE/- 
> text/html
> 895 10.182.35.253 TCP_DENIED/407 1714 GET http://www.bbb.it/ - NONE/- 
> text/html
> 559 10.182.35.253 TCP_DENIED/407 1714 GET http://www.aaa.it/ - NONE/- 
> text/html
>
>
>
> --END OF NOTIFICATION
>
>> I will release a new patch version with this fix soon (including 
>> others).
>>
>> For now, you may want to go to:
>> src/analysisd/analysisd.c
>>
>> And go to the line 611 and comment the following block:
>>
>> /*
>> if(LastMsg_Stats(lf->log) == 1)
>>                goto CLMEM;
>>            else
>>                LastMsg_Change(lf->log);
>> */
>>
> I modified the code and rebuild the deamon but the result is the same 
> as in the past.
> Infact if the requests to Squid are the same, the alert-level 10 is 
> never fired.
> I tried to look at the code but I'm not a programmer, sigh. :-(
>
>> After that, go to src/analysisd and type "make" and then copy
>> ossec-analysisd to /var/ossec/bin/ (on the server side).
>>
>> # cd src/analysisd
>> # make
>> # cp -pr ossec-analysisd /var/ossec/bin
>> # /var/ossec/bin/ossec-control restart
>>
>> Let me know if it helps.
>>
>> Thanks,
>>
>> -- 
>> Daniel B. Cid
>> dcid @ ( at ) ossec.net
>
> Thanks a lot for you help.
>
> Alberto Avi.
>