On Fri, Jan 16, 2015 at 3:22 AM, Yaniv Ron <[email protected]> wrote: > Thanks, I have researched about what you have suggested and if I understand > correctly the configuration charachteristics suggests not to use the os > reserved source ports (see configuration charachteristics section): > http://en.m.wikipedia.org/wiki/Ephemeral_port > > I have instructed our programers to fix that on our code and also develop a > verification mechanisem that will prevent overlaps. > > I wish we would know where in the ossec code i could at least define the > source port as well so I could tune it for not to overlap as well. > > Do you think that somone from the community will be able to help find that > source port configuration in the code ? (If that ofcourse make sense?) > > Thanks for the help guys! >
I spent 5 minutes to look into it yesterday, and I think the relevant code would be in https://github.com/ossec/ossec-hids/blob/master/src/os_net/os_net.c I did not look into how hard it would be to add this feature, or what other implications it would have. > > On Thursday, January 15, 2015, Wouter Clarie <[email protected]> wrote: >> >> (Assuming you're on Linux) >> >> Are you familiar with the following sysctl settings? >> >> net.ipv4.ip_local_port_range >> net.ipv4.ip_local_reserved_ports >> >> Wouter >> >> On 15 Jan 2015, at 06:25, Yaniv Ron <[email protected]> wrote: >> >> see when you are running OSSEC on a SIP server for example that has lots >> of calls - obviously lots of these sockets will be used ( every call uses >> local ports). >> Since we have lots of servers already up and running I do not want to >> change the settings of the SIP on them. >> >> but I would like however to install the agents, only with the ability to >> define the scope of source ports so they wont interfere.... >> >> >> On Thu, Jan 15, 2015 at 7:18 AM, Yaniv Ron <[email protected]> wrote: >>> >>> I have my application that listens on these ports on some of my >>> servers...:/ its causing our application lots of problems... >>> >>> On Wed, Jan 14, 2015 at 9:51 PM, David Lang <[email protected]> wrote: >>>> >>>> On Wed, 14 Jan 2015, Yaniv Ron wrote: >>>> >>>>> I am using 30000-60000 (source ports) on my servers, how can I change >>>>> the >>>>> source port that the agent is using ? >>>> >>>> >>>> Why are you wanting to change the source port? >>>> >>>> "well known ports" are destination ports, not source ports. Your browser >>>> talks to a website on port 80, but it talks _from_ a random high port. >>>> >>>> This is the normal way that all software works. >>>> >>>> David Lang >>>> >>>>> On Wed, Jan 14, 2015 at 4:53 PM, dan (ddp) <[email protected]> wrote: >>>>> >>>>>> On Wed, Jan 14, 2015 at 3:32 AM, Yaniv Ron <[email protected]> wrote: >>>>>>> >>>>>>> Hi, >>>>>>> I found that one of the agents was using a very strange UDP port : >>>>>>> >>>>>>> ossec-age 7055 ossec 7u IPv4 437537314 0t0 >>>>>>> UDP 10.10.10.10:56594->ossec1 >>>>>>> >>>>>> >>>>>> 10.10.10.10 is the agent and ossec1 is the manager? If so, then 56594 >>>>>> is the source port chosen at random. >>>>>> >>>>>>> This server (as well as the rest of my agents) is behind a NAT. >>>>>>> I tried to find information about ALL the ports that OSSEC agents use >>>>>> >>>>>> and I >>>>>>> >>>>>>> didn't found any reasonable information for that. >>>>>>> >>>>>>> I would like to disable my ossec-agents to use these unkown ports - >>>>>>> can >>>>>> >>>>>> you >>>>>>> >>>>>>> please advise about the following : >>>>>>> >>>>>>> 1) why was this port was in use ? what is it ? >>>>>>> 2) how can I disable it >>>>>>> >>>>>>> Thanks, >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > > -- > Yaniv Ron > +972-3-7298582 > Security Department | Viber S.a.r.l | www.viber.com | [email protected] > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
