while running ossec server in debug 2
2013/05/23 19:11:58 ossec-remoted: INFO: Started (pid: 8938). 2013/05/23 19:11:58 ossec-remoted: Error accessing file '/etc/shared/ar.conf' 2013/05/23 19:11:58 ossec-remoted(4111): INFO: Maximum number of agents allowed: '256'. 2013/05/23 19:11:58 ossec-remoted(1410): INFO: Reading authentication keys file. is it normal to look for ar.conf in /etc/shared/ ?? On Wednesday, May 22, 2013 12:10:17 PM UTC-8, cristian wrote: > > HI , > > > > I have a problem with active response on ossec hids 2.7 stable release > > > > [root@ossec1 etc]# /var/ossec/bin/manage_agents -V > > > > OSSEC HIDS v2.7 - Trend Micro Inc. > > > > > > [root@ossec1 etc]# /var/ossec/bin/agent_control -L > > > > OSSEC HIDS agent_control. Available active responses: > > > > No active response available. > > > > > > > > > > I had all working until i upgraded from 2.6 to 2.7 > > > > active response stoped working on agents. > > > > > > 2012/11/23 17:43:45 ossec-execd(1312): ERROR: Error executing > '/var/ossec/active-response/bin/': Permission denied > > 2012/11/23 17:45:55 ossec-execd(1312): ERROR: Error executing > '/var/ossec/active-response/bin/': Permission denied > > > > so i fixed the permission issue , then > > > > 2013/05/16 15:16:11 ossec-execd(1311): ERROR: Invalid command name > 'firewall-drop60' provided. > > 2013/05/16 15:16:41 ossec-execd(1311): ERROR: Invalid command name > 'host-deny60' provided. > > 2013/05/16 15:16:41 ossec-execd(1311): ERROR: Invalid command name > 'firewall-drop60' provided. > > 2013/05/16 15:17:11 ossec-execd(1311): ERROR: Invalid command name > 'host-deny60' provided. > > 2013/05/16 15:17:11 ossec-execd(1311): ERROR: Invalid command name > 'firewall-drop60' provided. > > > > > > > > > > > > initial problem was that ar.conf on agent was empty so i had to copy the > content of ar.conf from ossec server to ar.conf on agent. > > > > that fixed the problem with ossec on agent and it was blocking the > intruders while doing tests. > > > > Fri May 17 20:16:52 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh add - 38.64.1x.xx > 1368836216.1016824 6210 > > > > > > Fri May 17 20:27:22 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh delete - 38.64.1x.xx > 1368836216.1016824 6210 > > > > > > i also had to clear the content of /var/ossec/etc/shared/merged.mg on the > agent > > > > cat /dev/null > /var/ossec/etc/shared/merged.mg > > > > permissions for this 2 file on agent : > > > > just for test i did > > chmod 777 ar.conf > > chmod 777 merged.mg > > > > > > -rwxrwx--- 1 root ossec 70186 May 15 13:53 merged.mg > > -rwxrwxrwx 1 root root 151 May 17 17:54 ar.conf > > > > > > and iv try with the following permissions also. > > > > -rwxrwxrwx 1 ossec ossec 151 May 17 17:54 ar.conf > > > > -rwxrwx--- 1 ossec ossec 70186 May 15 13:53 merged.mg > > > > > > > > > > > > > > at this stage everything works fine , but when i make changes to > ossec.conf on server the issues re-appears > > > > if i change the timeout value in > > > > <command>host-deny</command> > > <location>local</location> > > <level>6</level> > > <timeout>63</timeout> > > </active-response> > > > > the content of ar.conf changes on the server > > > > [root@ossec1 etc]# more /var/ossec/etc/shared/ar.conf > > restart-ossec0 - restart-ossec.sh - 0 > > restart-ossec0 - restart-ossec.cmd - 0 > > host-deny63 - host-deny.sh - 63 > > firewall-drop603 - firewall-drop.sh - 603 > > > > i restarted ossec server .... > > > > ar.conf on agent still shows > > > > more /var/ossec/etc/shared/ar.conf > > restart-ossec0 - restart-ossec.sh - 0 > > restart-ossec0 - restart-ossec.cmd - 0 > > host-deny60 - host-deny.sh - 60 > > firewall-drop600 - firewall-drop.sh - 600 > > > > so im restarting the agent just to make sure.... > > > > > > [root@h22 shared]# /etc/init.d/ossec restart > > Stopping OSSEC: [ OK ] > > Starting OSSEC: [ OK ] > > [root@h22 shared]# more /var/ossec/etc/shared/ar.conf > > restart-ossec0 - restart-ossec.sh - 0 > > restart-ossec0 - restart-ossec.cmd - 0 > > host-deny60 - host-deny.sh - 60 > > firewall-drop600 - firewall-drop.sh - 600 > > > > the ar.conf is not changed > > > > and will trow the following errors on the agent > > > > [root@h22 shared]# tail -f /var/ossec/logs/ossec.log > > 2013/05/21 15:10:52 ossec-execd(1311): ERROR: Invalid command name > 'host-deny63' provided. > > 2013/05/21 15:10:52 ossec-execd(1311): ERROR: Invalid command name > 'firewall-drop603' provided. > > 2013/05/21 15:10:52 ossec-execd(1311): ERROR: Invalid command name > 'host-deny63' provided. > > 2013/05/21 15:10:52 ossec-execd(1311): ERROR: Invalid command name > 'firewall-drop603' provided. > > 2013/05/21 15:10:52 ossec-execd(1311): ERROR: Invalid command name > 'host-deny63' provided. > > 2013/05/21 15:10:52 ossec-execd(1311): ERROR: Invalid command name > 'firewall-drop603' provided. > > 2013/05/21 15:10:52 ossec-execd(1311): ERROR: Invalid command name > 'host-deny63' provided. > > 2013/05/21 15:10:52 ossec-execd(1311): ERROR: Invalid command name > 'firewall-drop603' provided. > > 2013/05/21 15:10:52 ossec-execd(1311): ERROR: Invalid command name > 'host-deny63' provided. > > 2013/05/21 15:10:52 ossec-execd(1311): ERROR: Invalid command name > 'firewall-drop603' provided. > > > > > > > > now if i fix ar.conf on agent by copying the content of ar.conf from the > server the agent will start working properly.. > > > > > > > > > > > > > > > > agent config contains active response set to yes > > > > <ossec_config> > > <client> > > <server-ip>10.10.11.13</server-ip> > > </client> > > > > <active-response> > > <disabled>no</disabled> > > </active-response> > > > > > > > > > > am i missing something? > > > > > > Regards , > > > > > > Cristian > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.