|
Hi Daniel,
Yes, I install the latest snapshot in the server before the agents.
In the server ossec, I have this rule on firewall:
iptables -A INPUT -p udp --dport 1514 --sport 1024:65535 -j
ACCEPT
Need anymore?
For the problem related to ar.conf, i'm confused. See errors logs:
2006/09/14 14:53:30 ossec-syscheckd: Started (pid: 24459).
2006/09/14 14:53:30 ossec-analysisd: Connected to '/queue/alerts/ar' (active-response queue) 2006/09/14 14:53:30 ossec-analysisd: Connected to '/queue/alerts/execq' (exec queue) 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file: '/var/log/messages'. 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file: '/var/log/secure'. 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file: '/var/log/syslog'. 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file: '/var/log/maillog'. 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file: '/usr/local/squid/var/logs/access.log'. 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file: '/var/log/apache/error_log'. 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file: '/var/log/apache/access_log'. 2006/09/14 14:53:33 ossec-logcollector: Started (pid: 24445). 2006/09/14 15:54:58 ossec-remoted: Error accessing file '/etc/shared/ar.conf' I think that have the same problems that's my last question.. the file
/etc/shared/ar.conf doesn't exists, only exists /var/ossec/etc/shared/ar.conf
(this file is created automatically when I start the ossec server).
Very thanks, best regards,
Amauri Tiago Marx
----- Original Message -----
From: "Daniel Cid" <[EMAIL PROTECTED]>
To: "Amauri Tiago Marx" <[EMAIL PROTECTED]>
Sent: Thursday, September 14, 2006 3:59 PM
Subject: Fwd: [ossec-list] Other problems Did you install the latest snapshot in the server? Whenever there is a new version you should always update the server first and then the agents. For your first agent, looks like there is a firewall blocking the connections to the server. Did you open port 1514 udp in the firewall? The second problem is also related to a connection issue. The server is the one who sends the active responses to the client (file ar.conf), so if they are not communicating correctly, this file is not going to be there... Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 9/14/06, Amauri Tiago Marx <[EMAIL PROTECTED]> wrote: > > > Hello all (sorry for my english again), > > I download the file > http://www.ossec.net/files/snapshots/ossec-hids-060912.tar.gz > and install, > but now I've more any problems. > > I install the server in the one machine that have two interfaces (internal > and external). > When I install the agent in a external machine, always show the message > "Waiting for server reply (not started)." like logs below: > > 2006/09/14 09:49:29 ossec-agentd: Connecting to server > (200.xxx.xxx.13:1514). > 2006/09/14 09:49:29 ossec-execd: Started (pid: 14194). > 2006/09/14 09:49:31 ossec-syscheckd: Started (pid: 14203). > 2006/09/14 09:49:35 ossec-logcollector(1950): Analyzing file: > '/var/log/messages'. > 2006/09/14 09:49:35 ossec-logcollector(1950): Analyzing file: > '/var/log/secure'. > 2006/09/14 09:49:35 ossec-logcollector(1950): Analyzing file: > '/var/log/syslog'. > 2006/09/14 09:49:35 ossec-logcollector(1950): Analyzing file: > '/var/log/xferlog'. > 2006/09/14 09:49:35 ossec-logcollector(1950): Analyzing file: > '/var/log/proftpd.log'. > 2006/09/14 09:49:35 ossec-logcollector(1950): Analyzing file: > '/var/log/radius.log'. > 2006/09/14 09:49:35 ossec-logcollector(1950): Analyzing file: > '/var/log/maillog'. > 2006/09/14 09:49:35 ossec-logcollector(1950): Analyzing file: > '/var/log/apache/error_log'. > 2006/09/14 09:49:35 ossec-logcollector(1950): Analyzing file: > '/var/log/apache/access_log'. > 2006/09/14 09:49:35 ossec-logcollector: Started (pid: 14199). > 2006/09/14 09:49:45 ossec-agentd(4101): Waiting for server reply (not > started). > 2006/09/14 09:50:01 ossec-agentd(4101): Waiting for server reply (not > started). > 2006/09/14 09:50:32 ossec-agentd(4101): Waiting for server reply (not > started). > 2006/09/14 09:51:18 ossec-agentd(4101): Waiting for server reply (not > started). > 2006/09/14 09:52:19 ossec-agentd(4101): Waiting for server reply (not > started). > 2006/09/14 09:53:35 ossec-agentd(4101): Waiting for server reply (not > started). > 2006/09/14 09:55:06 ossec-agentd(4101): Waiting for server reply (not > started). > 2006/09/14 09:56:52 ossec-agentd(4101): Waiting for server reply (not > started). > 2006/09/14 09:58:53 ossec-agentd(4101): Waiting for server reply (not > started). > > > When I install the agent in a internal machine, the server respond, but I > simulate a brute force ssh attack and doesn't work fine... the errors are > described bellow (invalid command and unable to open file (no exists in this > folder))... > > 2006/09/14 09:51:54 ossec-agentd: Connecting to server (192.168.1.1:1514). > 2006/09/14 09:51:56 ossec-syscheckd: Started (pid: 11609). > 2006/09/14 09:52:00 ossec-logcollector(1950): Analyzing file: > '/var/log/messages'. > 2006/09/14 09:52:00 ossec-logcollector(1950): Analyzing file: > '/var/log/secure'. > 2006/09/14 09:52:00 ossec-logcollector(1950): Analyzing file: > '/var/log/syslog'. > 2006/09/14 09:52:00 ossec-logcollector(1950): Analyzing file: > '/var/log/xferlog'. > 2006/09/14 09:52:00 ossec-logcollector(1950): Analyzing file: > '/var/log/proftpd.log'. > 2006/09/14 09:52:00 ossec-logcollector(1950): Analyzing file: > '/var/log/maillog'. > 2006/09/14 09:52:00 ossec-logcollector: Started (pid: 11608). > 2006/09/14 09:52:09 ossec-agentd(4101): Waiting for server reply (not > started). > 2006/09/14 09:52:25 ossec-agentd(4101): Waiting for server reply (not > started). > 2006/09/14 09:52:42 ossec-agentd(4102): Connected to the server. > 2006/09/14 09:52:42 ossec-agentd: Server unavailable. Setting lock. > 2006/09/14 09:52:45 ossec-agentd: Server responded. Releasing lock. > 2006/09/14 09:53:35 ossec-execd(1103): Unable to open file > '/var/ossec/etc/shared/ar.conf'. > 2006/09/14 09:53:35 ossec-execd(1311): Invalid command name 'host-deny600' > provided. > 2006/09/14 09:53:35 ossec-execd(1103): Unable to open file > '/var/ossec/etc/shared/ar.conf'. > 2006/09/14 09:53:35 ossec-execd(1311): Invalid command name > 'firewall-drop600' provided. > > Any suggestion? > > Very thanks, > > -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- > Amauri Tiago Marx > Coordenadoria de Tecnologia da Informação e Comunicação, Ctic > Universidade do Oeste de Santa Catarina, Unoesc > Campus de São Miguel do Oeste > www.unoescsmo.edu.br > -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- |
- [ossec-list] Re: Other problems Amauri Tiago Marx
- [ossec-list] Re: Other problems Daniel Cid
- [ossec-list] Re: Other problems Administrador Rede
- [ossec-list] Re: Other problems Meir Michanie
- [ossec-list] Re: Other problems Meir Michanie
- [ossec-list] Re: Other problems Daniel Cid
- [ossec-list] Re: Other problems Administrador Rede
