[ossec-list] Re: ossec server reporting itself as 0.0.0.0 and more

[Meir Michanie]

the only thing I can sugest is that you look at the alerts log in the wiki. if your alert log format is not there append it and I can check more

On 9/21/06, Leonardo Goldim <[EMAIL PROTECTED]> wrote:

hey meir

i had installed ossim and this one change somethings at my base, so i
download the base source and install it in another place.
i do these steps for install ossec-ui:
* mysqladmin create base -p
* mysql base -p < snort_tables.sql
* mysql base -p < ossec2base.sql
* mysql base -p < trunc_ossecbase.sql
* configure my new base to access the base db
* cat /opt/ossec/rules/*.xml |ossec2basetxt.pl -e -o
/var/www/html/ossecbase/signatures/
* cat /opt/ossec/logs/alerts/2006/Jul/ossec-alerts-31.log
|ossec2mysql.pl --interface manualfeed

after this i access the url http://127.0.0.1/ossecbase/ but the problem
with signatures continue, look:
ID      <
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807&current_view=0&sort_order=sig_a > Signature >
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807&current_view=0&sort_order=sig_d >
         <
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807&current_view=0&sort_order=time_a > Timestamp >
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807&current_view=0&sort_order=time_d >
         <
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807&current_view=0&sort_order=sip_a > Source Address >
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807&current_view=0&sort_order=sip_d >
         <
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807&current_view=0&sort_order=dip_a > Dest. Address >
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807&current_view=0&sort_order=dip_d >
         <
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807&current_view=0&sort_order=proto_a > Layer 4 Proto >
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807&current_view=0&sort_order=proto_d >

#0-(1-1)
<http://127.0.0.1/ossecbase/base_qry_alert.php?submit=%230-%281-1%29&sort_order=>
        1       2006-07-31 10:41:33     0.0.0.0
<http://127.0.0.1/ossecbase/base_stat_ipaddr.php?ip=0.0.0.0&netmask=32 >         10.0.0.9
<http://127.0.0.1/ossecbase/base_stat_ipaddr.php?ip=10.0.0.9&netmask32 >         IP


i don't know what i can do anymore ... do you have any suggestion?

but the good side is that the "problem" with dest. address and source
address appears to be ok.

--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
[EMAIL PROTECTED]

Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604



Meir Michanie wrote:
>
>
> On 9/19/06, *Leonardo Goldim* <[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>> wrote:
>
>
>     hey meir
>
>     do you have any suggestion that i can do to correct my problem with
>     signatures?
>
>     after this fixes at ossec-ui, how we have to import the signatures ?
>     with the ossec2base_sigs.pl or ossec2basetxt.pl ?
>     in my case i used ossec2basetxt.pl ...
>
>
> ossec2base_sigs.pl is  legacy.
> I will remove it from cvs
> it doesn't hurts but it is not needed.