Will try thanks alot man ! And I must say that I follow your replies you guys make an amazing job! Wish you could work with me :)
Thanks alot! On Friday, January 16, 2015, dan (ddp) <[email protected]> wrote: > On Fri, Jan 16, 2015 at 8:21 AM, Yaniv Ron <[email protected] <javascript:;>> > wrote: > > Awesome! > > So should i dl the binary of 2.8.1, set the ports and then run make? > > > > You'll have to download the source, modify it, compile it, and install > the resulting binaries. > I'd recommend a lot of testing before pushing it out too, like I said > I didn't look into any side effects. > > > > > On Friday, January 16, 2015, dan (ddp) <[email protected] <javascript:;>> > wrote: > >> > >> On Fri, Jan 16, 2015 at 3:22 AM, Yaniv Ron <[email protected] > <javascript:;>> wrote: > >> > Thanks, I have researched about what you have suggested and if I > >> > understand > >> > correctly the configuration charachteristics suggests not to use the > os > >> > reserved source ports (see configuration charachteristics section): > >> > http://en.m.wikipedia.org/wiki/Ephemeral_port > >> > > >> > I have instructed our programers to fix that on our code and also > >> > develop a > >> > verification mechanisem that will prevent overlaps. > >> > > >> > I wish we would know where in the ossec code i could at least define > the > >> > source port as well so I could tune it for not to overlap as well. > >> > > >> > Do you think that somone from the community will be able to help find > >> > that > >> > source port configuration in the code ? (If that ofcourse make sense?) > >> > > >> > Thanks for the help guys! > >> > > >> > >> I spent 5 minutes to look into it yesterday, and I think the relevant > >> code would be in > >> https://github.com/ossec/ossec-hids/blob/master/src/os_net/os_net.c > >> > >> I did not look into how hard it would be to add this feature, or what > >> other implications it would have. > >> > >> > > >> > On Thursday, January 15, 2015, Wouter Clarie <[email protected] > <javascript:;>> wrote: > >> >> > >> >> (Assuming you're on Linux) > >> >> > >> >> Are you familiar with the following sysctl settings? > >> >> > >> >> net.ipv4.ip_local_port_range > >> >> net.ipv4.ip_local_reserved_ports > >> >> > >> >> Wouter > >> >> > >> >> On 15 Jan 2015, at 06:25, Yaniv Ron <[email protected] <javascript:;>> > wrote: > >> >> > >> >> see when you are running OSSEC on a SIP server for example that has > >> >> lots > >> >> of calls - obviously lots of these sockets will be used ( every call > >> >> uses > >> >> local ports). > >> >> Since we have lots of servers already up and running I do not want to > >> >> change the settings of the SIP on them. > >> >> > >> >> but I would like however to install the agents, only with the ability > >> >> to > >> >> define the scope of source ports so they wont interfere.... > >> >> > >> >> > >> >> On Thu, Jan 15, 2015 at 7:18 AM, Yaniv Ron <[email protected] > <javascript:;>> wrote: > >> >>> > >> >>> I have my application that listens on these ports on some of my > >> >>> servers...:/ its causing our application lots of problems... > >> >>> > >> >>> On Wed, Jan 14, 2015 at 9:51 PM, David Lang <[email protected] > <javascript:;>> wrote: > >> >>>> > >> >>>> On Wed, 14 Jan 2015, Yaniv Ron wrote: > >> >>>> > >> >>>>> I am using 30000-60000 (source ports) on my servers, how can I > >> >>>>> change > >> >>>>> the > >> >>>>> source port that the agent is using ? > >> >>>> > >> >>>> > >> >>>> Why are you wanting to change the source port? > >> >>>> > >> >>>> "well known ports" are destination ports, not source ports. Your > >> >>>> browser > >> >>>> talks to a website on port 80, but it talks _from_ a random high > >> >>>> port. > >> >>>> > >> >>>> This is the normal way that all software works. > >> >>>> > >> >>>> David Lang > >> >>>> > >> >>>>> On Wed, Jan 14, 2015 at 4:53 PM, dan (ddp) <[email protected] > <javascript:;>> wrote: > >> >>>>> > >> >>>>>> On Wed, Jan 14, 2015 at 3:32 AM, Yaniv Ron <[email protected] > <javascript:;>> wrote: > >> >>>>>>> > >> >>>>>>> Hi, > >> >>>>>>> I found that one of the agents was using a very strange UDP > port : > >> >>>>>>> > >> >>>>>>> ossec-age 7055 ossec 7u IPv4 437537314 > >> >>>>>>> 0t0 > >> >>>>>>> UDP 10.10.10.10:56594->ossec1 > >> >>>>>>> > >> >>>>>> > >> >>>>>> 10.10.10.10 is the agent and ossec1 is the manager? If so, then > >> >>>>>> 56594 > >> >>>>>> is the source port chosen at random. > >> >>>>>> > >> >>>>>>> This server (as well as the rest of my agents) is behind a NAT. > >> >>>>>>> I tried to find information about ALL the ports that OSSEC > agents > >> >>>>>>> use > >> >>>>>> > >> >>>>>> and I > >> >>>>>>> > >> >>>>>>> didn't found any reasonable information for that. > >> >>>>>>> > >> >>>>>>> I would like to disable my ossec-agents to use these unkown > ports > >> >>>>>>> - > >> >>>>>>> can > >> >>>>>> > >> >>>>>> you > >> >>>>>>> > >> >>>>>>> please advise about the following : > >> >>>>>>> > >> >>>>>>> 1) why was this port was in use ? what is it ? > >> >>>>>>> 2) how can I disable it > >> >>>>>>> > >> >>>>>>> Thanks, > >> >> > >> >> > >> >> -- > >> >> > >> >> --- > >> >> You received this message because you are subscribed to the Google > >> >> Groups > >> >> "ossec-list" group. > >> >> To unsubscribe from this group and stop receiving emails from it, > send > >> >> an > >> >> email to [email protected] <javascript:;>. > >> >> For more options, visit https://groups.google.com/d/optout. > >> > > >> > > >> > > >> > -- > >> > Yaniv Ron > >> > +972-3-7298582 > >> > Security Department | Viber S.a.r.l | www.viber.com | [email protected] > <javascript:;> > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to [email protected] <javascript:;>. > >> > For more options, visit https://groups.google.com/d/optout. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected] <javascript:;>. > >> For more options, visit https://groups.google.com/d/optout. > > > > > > > > -- > > Yaniv Ron > > +972-3-7298582 > > Security Department | Viber S.a.r.l | www.viber.com | [email protected] > <javascript:;> > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected] <javascript:;>. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:;>. > For more options, visit https://groups.google.com/d/optout. > -- *Yaniv Ron* +972-3-7298582 *Security Department | Viber S.a.r.l *| www.viber.com | yron@viber <http://twitter.com/viber>.com -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
