Daniel Cid wrote: > Basically, every agent (and the server) keeps inside queue/rids a counter > of all the messages sent and received. We do that to proctect against > replay attacks (someone copying the encrypted event and sending it > over and over).
I suspected some kind of application-level session control, since UDP is used (something like a sequence number), but I didn't realize it was a protection against replay attacks. I had presumed that since OSSEC didn't use a challenge-response means to authenticate the agent and initiate a session key, that it was pretty much vulnerable. Good to know. > From your agent log, I see that it has saved the counter 8-9033, while > the server is sending 0-6, which will be considered duplicated.. > > Since you don't have any firewall in the middle and the connection > looks good, I would suggest you to do the following: > > -On every agent: > -- stop ossec > -- go to: /var/ossec/queue/rids (or ossec-agent/rids on Windows) and > remove every file in there. > > -Go to the server: > -- Stop ossec > -- Remove the every file under rids too. > > --Restart the server and the agents. This worked. I'm back in action now. Thanks for your help.
