For those that might come across the same issue - I was actually able to
resolve this
I noticed that the STORE now was being sent before the ssh banner was
displayed and this was capturing the last login timestamp.
So my first attempt i changed my spwan to
spawn ssh -q $hostname
This was OK for most of the servers, however some were still showing mixed
outputs. The STORE now was still being shown at different output stages
when a banner and motd is used. This seemed random - so I guessed that the
terminal was responding at different speeds to the spwan session.
Adding a sleep immediately after the spwan resolved this.
spawn ssh -q $hostname
sleep 2
Here is the full ssh_generic_diff script with the simple changes:
# Main script
source "agentless/main.exp"
# SSH to the box and pass the directories to check
if [catch {
spawn ssh -q $hostname
sleep 2
} loc_error] {
send_user "ERROR: Opening connection: $loc_error.\n"
exit 1;
}
source $sshsrc
source $susrc
set timeout 300
send_user "INFO: Starting.\n"
send_user "\nSTORE: now\n"
send "$args\r"
send "exit\r"
expect {
timeout {
send_user "ERROR: Timeout while running commands on host: $hostname
.\n"
exit 1;
}
eof {
send_user "\nINFO: Finished.\n"
exit 0;
}
}
exit 0;
On Monday, 4 June 2018 20:12:31 UTC+1, Mike wrote:
>
>
> Can anyone advise me on how to stop ssh_generic_diff from processing the
> lastlogin banner?
>
> ossec: agentless: Change detected:
> 3c3
> < Last login: Mon Jun 4 17:40:43 2018 from 192.168.10.2
> ---
> > Last login: Mon Jun 4 19:02:20 2018 from 192.168.10.2
>
> Why does ssh_generic_diff process the login banner instead of only the
> command I pass as an argument?
>
> Thanks.
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
