Ahmet. Um, actually, why would I need a Windows agent? I'm not monitoring a Windows box, just using it to do tasks on an OSSEC_HIDS box, like upload files via sftp (again, using WinSCP3) or run commands via ssh (Putty). That notwithstanding, I'll send along the conf and logs. I've done nothing special to the conf file, though, except whiteliste a few addresses.
Dimitri On Wednesday August 09 2006 9:33 am, Ahmet Ozturk wrote: > Hi again, > > I'll test windows agent at home tonight. > Can you send us your ossec.conf file and related alert logs? > > Regards, > > Ahmet Ozturk. > > Dimitri Yioulos wrote: > > Thanks, Ahmet. > > > > Might you have any idea why my WinXP box keeps getting blocked > > when using the ssh and ftp tools, even though it's whitelisted? > > > > Dimitri > > > > On Wednesday August 09 2006 9:12 am, Ahmet Ozturk wrote: > >> Hi Dimitri, > >> > >> OSSEC-HIDS configuration only accepts CIDRs /8 /16 /24 /32. > >> > >> Please see Rafael Capovilla's solution. > >> (http://www.ossec.net/ossec-list/2006-August/msg00063.html) > >> > >> I think Meir Michanie will correct this issue soon. > >> > >> Since you have only two agent boxes, you may define them > >> seperately in config file like: > >> <white_list>192.168.100.xx/32</white_list> > >> <white_list>192.168.100.yyy/32</white_list> > >> > >> Regards, > >> > >> Ahmet Ozturk. > >> > >> Dimitri Yioulos wrote: > >>> Hello list members. > >>> > >>> In order to use various tools on my OSSEC-HIDS server and agent > >>> boxes, I've whitelisted my two desktop boxes - WinXP and > >>> SimplyMepis Linux. > >>> > >>> >From the Linux desktop, using cli ssh and sftp tools, I have > >>> > no > >>> > >>> trouble getting into the OSSEC-HIDS server or agents. From the > >>> Windows desktop, however, I keep getting added to hosts.deny > >>> when using either Putty (ssh) or WinSCP3 (sftp). I then have > >>> to remove the entry fr the WinXP desktop from hosts.deny and > >>> restart the OSSEC-HIDS server (merely removing the entry from > >>> hosts.deny doesn't work). I have, as per instruction, added a > >>> separate entry in ossec.conf for each LAN address I want to > >>> whitelist. Is this a possible bug, or am I doing something > >>> wrong? > >>> > >>> I tried whitelisting my entire LAN by adding > >>> <white_list>192.168.100.0/22</white_list>, but that didn't seem > >>> to work. If this isn't something I'm doing wrong, might I > >>> suggest adding this ability in a future release? > >>> > >>> Regards, > >>> > >>> Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
