Awesome! So should i dl the binary of 2.8.1, set the ports and then run make?
On Friday, January 16, 2015, dan (ddp) <[email protected] <javascript:_e(%7B%7D,'cvml','[email protected]');>> wrote: > On Fri, Jan 16, 2015 at 3:22 AM, Yaniv Ron <[email protected]> wrote: > > Thanks, I have researched about what you have suggested and if I > understand > > correctly the configuration charachteristics suggests not to use the os > > reserved source ports (see configuration charachteristics section): > > http://en.m.wikipedia.org/wiki/Ephemeral_port > > > > I have instructed our programers to fix that on our code and also > develop a > > verification mechanisem that will prevent overlaps. > > > > I wish we would know where in the ossec code i could at least define the > > source port as well so I could tune it for not to overlap as well. > > > > Do you think that somone from the community will be able to help find > that > > source port configuration in the code ? (If that ofcourse make sense?) > > > > Thanks for the help guys! > > > > I spent 5 minutes to look into it yesterday, and I think the relevant > code would be in > https://github.com/ossec/ossec-hids/blob/master/src/os_net/os_net.c > > I did not look into how hard it would be to add this feature, or what > other implications it would have. > > > > > On Thursday, January 15, 2015, Wouter Clarie <[email protected]> wrote: > >> > >> (Assuming you're on Linux) > >> > >> Are you familiar with the following sysctl settings? > >> > >> net.ipv4.ip_local_port_range > >> net.ipv4.ip_local_reserved_ports > >> > >> Wouter > >> > >> On 15 Jan 2015, at 06:25, Yaniv Ron <[email protected]> wrote: > >> > >> see when you are running OSSEC on a SIP server for example that has lots > >> of calls - obviously lots of these sockets will be used ( every call > uses > >> local ports). > >> Since we have lots of servers already up and running I do not want to > >> change the settings of the SIP on them. > >> > >> but I would like however to install the agents, only with the ability to > >> define the scope of source ports so they wont interfere.... > >> > >> > >> On Thu, Jan 15, 2015 at 7:18 AM, Yaniv Ron <[email protected]> wrote: > >>> > >>> I have my application that listens on these ports on some of my > >>> servers...:/ its causing our application lots of problems... > >>> > >>> On Wed, Jan 14, 2015 at 9:51 PM, David Lang <[email protected]> wrote: > >>>> > >>>> On Wed, 14 Jan 2015, Yaniv Ron wrote: > >>>> > >>>>> I am using 30000-60000 (source ports) on my servers, how can I change > >>>>> the > >>>>> source port that the agent is using ? > >>>> > >>>> > >>>> Why are you wanting to change the source port? > >>>> > >>>> "well known ports" are destination ports, not source ports. Your > browser > >>>> talks to a website on port 80, but it talks _from_ a random high port. > >>>> > >>>> This is the normal way that all software works. > >>>> > >>>> David Lang > >>>> > >>>>> On Wed, Jan 14, 2015 at 4:53 PM, dan (ddp) <[email protected]> wrote: > >>>>> > >>>>>> On Wed, Jan 14, 2015 at 3:32 AM, Yaniv Ron <[email protected]> wrote: > >>>>>>> > >>>>>>> Hi, > >>>>>>> I found that one of the agents was using a very strange UDP port : > >>>>>>> > >>>>>>> ossec-age 7055 ossec 7u IPv4 437537314 0t0 > >>>>>>> UDP 10.10.10.10:56594->ossec1 > >>>>>>> > >>>>>> > >>>>>> 10.10.10.10 is the agent and ossec1 is the manager? If so, then > 56594 > >>>>>> is the source port chosen at random. > >>>>>> > >>>>>>> This server (as well as the rest of my agents) is behind a NAT. > >>>>>>> I tried to find information about ALL the ports that OSSEC agents > use > >>>>>> > >>>>>> and I > >>>>>>> > >>>>>>> didn't found any reasonable information for that. > >>>>>>> > >>>>>>> I would like to disable my ossec-agents to use these unkown ports - > >>>>>>> can > >>>>>> > >>>>>> you > >>>>>>> > >>>>>>> please advise about the following : > >>>>>>> > >>>>>>> 1) why was this port was in use ? what is it ? > >>>>>>> 2) how can I disable it > >>>>>>> > >>>>>>> Thanks, > >> > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected]. > >> For more options, visit https://groups.google.com/d/optout. > > > > > > > > -- > > Yaniv Ron > > +972-3-7298582 > > Security Department | Viber S.a.r.l | www.viber.com | [email protected] > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- *Yaniv Ron* +972-3-7298582 *Security Department | Viber S.a.r.l *| www.viber.com | yron@viber <http://twitter.com/viber>.com -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
