date:20160719

[ossec-list] Re: Solaris Compilation - Visibility

2016-07-19 Thread Kumar G

We are on these version in Solaris.

SunOS testlab 5.10 Generic_150400-34 sun4v sparc SUNW,T5240

/usr/sfw/bin/gcc -v

Reading specs from /usr/sfw/lib/gcc/sparc-sun-solaris2.10/3.4.3/specs

Configured with:
/sfw10/builds/build/sfw10-patch/usr/src/cmd/gcc/gcc-3.4.3/configure
--prefix=/usr/sfw --with-as=/usr/ccs/bin/as --without-gnu-as
--with-ld=/usr/ccs/bin/ld --without-gnu-ld --enable-languages=c,c++
--enable-shared

Thread model: posix

gcc version 3.4.3 (csl-sol210-3_4-branch+sol_rpath)

On Wednesday, 20 July 2016, Eero Volotinen  wrote:

> what is your solaris version, platform and gcc version?
>
> this might be related to zlib..
>
> Eero
>
> 2016-07-19 22:28 GMT+03:00 Kumar Mg  >:
>
>> Hi,
>>
>> We also have the agent compilation issue on the Solaris platform with the
>> 2.8.3 version of code. How can we fix the "Checking for
>> attribute(visibility) support... No"?
>>
>> For time being we updated the lua* conf updated to remove the warning
>> message, however the below warning are still showing up.
>>
>>
>> *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
>> cd zlib-1.2.8/; ./configure; make libz.a;
>> Checking for shared library support...
>> Building shared library libz.so.1.2.8 with /usr/sfw/bin/gcc.
>> Checking for off64_t... Yes.
>> Checking for fseeko... Yes.
>> Checking for strerror... Yes.
>> Checking for unistd.h... Yes.
>> Checking for stdarg.h... Yes.
>> Checking whether to use vs[n]printf() or s[n]printf()... using
>> vs[n]printf().
>> Checking for vsnprintf() in stdio.h... Yes.
>> Checking for return value of vsnprintf()... Yes.
>> Checking for attribute(visibility) support... No.
>>
>>
>>
>> *** Making monitord ***
>>
>> /usr/sfw/bin/gcc -g -Wall -I../ -I../headers  -DCLIENT -DUSE_OPENSSL
>> -DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-monitord\" -DOSSECHIDS -lsocket
>> -lnsl -lresolv compress_log.c main.c manage_files.c monitor_agents.c
>> monitord.c sign_log.c generate_reports.c ../os_maild/sendcustomemail.c
>> ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a
>> ../os_regex/os_regex.a ../os_xml/os_xml.a ../os_crypto/os_crypto.a
>> ../os_zlib/os_zlib.c ../external/libz.a -o ossec-monitord
>> generate_reports.c: In function `generate_reports':
>> generate_reports.c:59: warning: int format, pid_t arg (arg 4)
>> /usr/sfw/bin/gcc -g -Wall -I../ -I../headers  -DCLIENT -DUSE_OPENSSL
>> -DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-monitord\" -DOSSECHIDS -lsocket
>> -lnsl -lresolv -UARGV0 -DARGV0=\"ossec-reportd\" report.c
>> ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a
>> ../os_regex/os_regex.a ../os_xml/os_xml.a ../os_crypto/os_crypto.a
>> ../os_zlib/os_zlib.c ../external/libz.a -o ossec-reportd
>>
>>
>> *** Making os_auth ***
>>
>> /usr/sfw/bin/gcc -g -Wall -I../ -I../headers  -DCLIENT -DUSE_OPENSSL
>> -DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-authd\" -DOSSECHIDS -lsocket
>> -lnsl -lresolv main-server.c ssl.c ../addagent/validate.c
>> ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a
>> ../os_regex/os_regex.a ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c
>> ../external/libz.a -lssl -lcrypto -o ossec-authd
>> main-server.c: In function `ssl_error':
>> main-server.c:53: warning: passing arg 1 of `SSL_get_error' discards
>> qualifiers from pointer target type
>> /usr/sfw/bin/gcc -g -Wall -I../ -I../headers  -DCLIENT -DUSE_OPENSSL
>> -DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-authd\" -DOSSECHIDS -lsocket
>> -lnsl -lresolv main-client.c ssl.c ../addagent/validate.c
>> ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a
>> ../os_regex/os_regex.a ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c
>> ../external/libz.a -lssl -lcrypto -o agent-auth
>>
>>
>>
>> If any one can shower some light on this, that will be great.
>>
>>
>> Thanks
>> Kumar
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Solaris Compilation - Visibility

2016-07-19 Thread Eero Volotinen

what is your solaris version, platform and gcc version?

this might be related to zlib..

Eero

2016-07-19 22:28 GMT+03:00 Kumar Mg :

> Hi,
>
> We also have the agent compilation issue on the Solaris platform with the
> 2.8.3 version of code. How can we fix the "Checking for
> attribute(visibility) support... No"?
>
> For time being we updated the lua* conf updated to remove the warning
> message, however the below warning are still showing up.
>
>
> *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
> cd zlib-1.2.8/; ./configure; make libz.a;
> Checking for shared library support...
> Building shared library libz.so.1.2.8 with /usr/sfw/bin/gcc.
> Checking for off64_t... Yes.
> Checking for fseeko... Yes.
> Checking for strerror... Yes.
> Checking for unistd.h... Yes.
> Checking for stdarg.h... Yes.
> Checking whether to use vs[n]printf() or s[n]printf()... using
> vs[n]printf().
> Checking for vsnprintf() in stdio.h... Yes.
> Checking for return value of vsnprintf()... Yes.
> Checking for attribute(visibility) support... No.
>
>
>
> *** Making monitord ***
>
> /usr/sfw/bin/gcc -g -Wall -I../ -I../headers  -DCLIENT -DUSE_OPENSSL
> -DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-monitord\" -DOSSECHIDS -lsocket
> -lnsl -lresolv compress_log.c main.c manage_files.c monitor_agents.c
> monitord.c sign_log.c generate_reports.c ../os_maild/sendcustomemail.c
> ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a
> ../os_regex/os_regex.a ../os_xml/os_xml.a ../os_crypto/os_crypto.a
> ../os_zlib/os_zlib.c ../external/libz.a -o ossec-monitord
> generate_reports.c: In function `generate_reports':
> generate_reports.c:59: warning: int format, pid_t arg (arg 4)
> /usr/sfw/bin/gcc -g -Wall -I../ -I../headers  -DCLIENT -DUSE_OPENSSL
> -DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-monitord\" -DOSSECHIDS -lsocket
> -lnsl -lresolv -UARGV0 -DARGV0=\"ossec-reportd\" report.c
> ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a
> ../os_regex/os_regex.a ../os_xml/os_xml.a ../os_crypto/os_crypto.a
> ../os_zlib/os_zlib.c ../external/libz.a -o ossec-reportd
>
>
> *** Making os_auth ***
>
> /usr/sfw/bin/gcc -g -Wall -I../ -I../headers  -DCLIENT -DUSE_OPENSSL
> -DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-authd\" -DOSSECHIDS -lsocket
> -lnsl -lresolv main-server.c ssl.c ../addagent/validate.c
> ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a
> ../os_regex/os_regex.a ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c
> ../external/libz.a -lssl -lcrypto -o ossec-authd
> main-server.c: In function `ssl_error':
> main-server.c:53: warning: passing arg 1 of `SSL_get_error' discards
> qualifiers from pointer target type
> /usr/sfw/bin/gcc -g -Wall -I../ -I../headers  -DCLIENT -DUSE_OPENSSL
> -DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-authd\" -DOSSECHIDS -lsocket
> -lnsl -lresolv main-client.c ssl.c ../addagent/validate.c
> ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a
> ../os_regex/os_regex.a ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c
> ../external/libz.a -lssl -lcrypto -o agent-auth
>
>
>
> If any one can shower some light on this, that will be great.
>
>
> Thanks
> Kumar
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Solaris Compilation - Visibility

2016-07-19 Thread Kumar Mg

Hi,

We also have the agent compilation issue on the Solaris platform with the
2.8.3 version of code. How can we fix the "Checking for
attribute(visibility) support... No"?

For time being we updated the lua* conf updated to remove the warning
message, however the below warning are still showing up.


*** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
cd zlib-1.2.8/; ./configure; make libz.a;
Checking for shared library support...
Building shared library libz.so.1.2.8 with /usr/sfw/bin/gcc.
Checking for off64_t... Yes.
Checking for fseeko... Yes.
Checking for strerror... Yes.
Checking for unistd.h... Yes.
Checking for stdarg.h... Yes.
Checking whether to use vs[n]printf() or s[n]printf()... using
vs[n]printf().
Checking for vsnprintf() in stdio.h... Yes.
Checking for return value of vsnprintf()... Yes.
Checking for attribute(visibility) support... No.



*** Making monitord ***

/usr/sfw/bin/gcc -g -Wall -I../ -I../headers  -DCLIENT -DUSE_OPENSSL
-DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-monitord\" -DOSSECHIDS -lsocket
-lnsl -lresolv compress_log.c main.c manage_files.c monitor_agents.c
monitord.c sign_log.c generate_reports.c ../os_maild/sendcustomemail.c
../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a
../os_regex/os_regex.a ../os_xml/os_xml.a ../os_crypto/os_crypto.a
../os_zlib/os_zlib.c ../external/libz.a -o ossec-monitord
generate_reports.c: In function `generate_reports':
generate_reports.c:59: warning: int format, pid_t arg (arg 4)
/usr/sfw/bin/gcc -g -Wall -I../ -I../headers  -DCLIENT -DUSE_OPENSSL
-DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-monitord\" -DOSSECHIDS -lsocket
-lnsl -lresolv -UARGV0 -DARGV0=\"ossec-reportd\" report.c
../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a
../os_regex/os_regex.a ../os_xml/os_xml.a ../os_crypto/os_crypto.a
../os_zlib/os_zlib.c ../external/libz.a -o ossec-reportd


*** Making os_auth ***

/usr/sfw/bin/gcc -g -Wall -I../ -I../headers  -DCLIENT -DUSE_OPENSSL
-DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-authd\" -DOSSECHIDS -lsocket
-lnsl -lresolv main-server.c ssl.c ../addagent/validate.c
../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a
../os_regex/os_regex.a ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c
../external/libz.a -lssl -lcrypto -o ossec-authd
main-server.c: In function `ssl_error':
main-server.c:53: warning: passing arg 1 of `SSL_get_error' discards
qualifiers from pointer target type
/usr/sfw/bin/gcc -g -Wall -I../ -I../headers  -DCLIENT -DUSE_OPENSSL
-DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-authd\" -DOSSECHIDS -lsocket
-lnsl -lresolv main-client.c ssl.c ../addagent/validate.c
../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a
../os_regex/os_regex.a ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c
../external/libz.a -lssl -lcrypto -o agent-auth



If any one can shower some light on this, that will be great.


Thanks
Kumar

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Warning during compilations Server

2016-07-19 Thread Kumar Mg

Thanks Dan.

Let me check with the new code and see.

On 19 July 2016 at 23:27, dan (ddp)  wrote:

> On Tue, Jul 19, 2016 at 1:32 PM, Kumar Mg  wrote:
> > Hi
> >
> > We are getting these message during compilation and not sure if any code
> > update is required for the rename_ex function in src/shared/file_op.c.
> >
>
> I don't see any issues with it in the current source. I don't have
> 2.8.3 handy to check that.
>
> > Compiling on CentOS 7 for OSSEC 2.8.3 version.
> >
> >
> > *** Making shared ***
> >
> >
> >
> > make[1]: Entering directory `/OSSECSRC/src/shared'
> >
> > cc -c -g -Wall -I../ -I../headers   -DUSE_OPENSSL -DUSEINOTIFY
> > -DMAX_AGENTS=512   -DARGV0=\"shared-libs\" -DOSSECHIDS *.c
> >
> > file_op.c: In function 'rename_ex':
> >
> > file_op.c:660:9: warning: too many arguments for format
> > [-Wformat-extra-args]
> >
> >  );
> >
> >  ^
> >
> > ar cru lib_shared.a *.o
> >
> > ranlib lib_shared.a
> >
> > make[1]: Leaving directory `/OSSECSRC/src/shared'
> >
> >
> >
> > Thanks
> > Kumar
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Warning during compilations Server

2016-07-19 Thread dan (ddp)

On Tue, Jul 19, 2016 at 1:32 PM, Kumar Mg  wrote:
> Hi
>
> We are getting these message during compilation and not sure if any code
> update is required for the rename_ex function in src/shared/file_op.c.
>

I don't see any issues with it in the current source. I don't have
2.8.3 handy to check that.

> Compiling on CentOS 7 for OSSEC 2.8.3 version.
>
>
> *** Making shared ***
>
>
>
> make[1]: Entering directory `/OSSECSRC/src/shared'
>
> cc -c -g -Wall -I../ -I../headers   -DUSE_OPENSSL -DUSEINOTIFY
> -DMAX_AGENTS=512   -DARGV0=\"shared-libs\" -DOSSECHIDS *.c
>
> file_op.c: In function 'rename_ex':
>
> file_op.c:660:9: warning: too many arguments for format
> [-Wformat-extra-args]
>
>  );
>
>  ^
>
> ar cru lib_shared.a *.o
>
> ranlib lib_shared.a
>
> make[1]: Leaving directory `/OSSECSRC/src/shared'
>
>
>
> Thanks
> Kumar
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Warning during compilations Server

2016-07-19 Thread Kumar Mg

Hi

We are getting these message during compilation and not sure if any code
update is required for the rename_ex function in src/shared/file_op.c.

Compiling on CentOS 7 for OSSEC 2.8.3 version.


*** Making shared ***



make[1]: Entering directory `/OSSECSRC/src/shared'

cc -c -g -Wall -I../ -I../headers   -DUSE_OPENSSL -DUSEINOTIFY
-DMAX_AGENTS=512   -DARGV0=\"shared-libs\" -DOSSECHIDS *.c

file_op.c: In function 'rename_ex':

file_op.c:660:9: warning: too many arguments for format
[-Wformat-extra-args]

 );

 ^

ar cru lib_shared.a *.o

ranlib lib_shared.a

make[1]: Leaving directory `/OSSECSRC/src/shared'


Thanks
Kumar

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] DB schema

2016-07-19 Thread Kumar Mg

Hi all,

We have a requirement like increasing the description data type from
varchar 255 to higher value. Is it advisable to do this change or we need
to limit ourway description field with in 255 char?


CREATE TABLE signature

(

id  SERIAL  NOT NULL,

rule_id INT8   NOT NULL UNIQUE,

level   INT4,

description VARCHAR(255)NOT NULL,

PRIMARY KEY (id)

);

Thanks

Kumar

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Agents going offline intermittnently

2016-07-19 Thread Quintin Beukes

The logs on the agent show this:
2016/07/19 16:18:27 ossec-agentd(4101): WARN: Waiting for server reply (not
started). Tried: 'ossec.jeoffice/10.10.12.171'.
2016/07/19 16:18:29 ossec-agentd: INFO: Trying to connect to server
(ossec.jeoffice/10.10.12.171:1514).
2016/07/19 16:18:29 ossec-agentd: INFO: Using IPv4 for: 10.10.12.171 .
2016/07/19 16:18:44 ossec-logcollector: WARN: Process locked. Waiting for
permission...

Quintin

On Tue, Jul 19, 2016 at 4:13 PM Quintin Beukes 
wrote:

> Hi,
>
> A few days ago some of my OSSEC agents started going offline and stop
> sending alerts, and then a long while after come back online again like
> nothing's wrong. Restarting the agents don't help fix the offline status.
> This affects both agents running through a router/firewall to reach the
> server, and agents running in the same subnet as the server.
>
> I removed all iptables filters and did a tcpdump on both offline and
> online agents, but couldn't notice anything out of the ordinary.
>
> Here are packets from an offline agent showing successful traffic from
> server to client and vice versa, as well as some curious port unreachable
> errors. Even though there is traffic, the agent shows as offline and no
> alerts are generated for events on this agent.
>
> OSSEC Server IP: 10.10.12.171
> Agent IP: 10.10.13.8
>
> agent_control -l:
>ID: 019, Name: devjerm1, IP: 10.10.13.8, Disconnected
>
> tcpdump:
> 15:47:36.515777 IP 10.10.13.8 > 10.10.12.171: ICMP 10.10.13.8 udp port
> 58989 unreachable, length 109
> 15:47:36.517646 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73
> 15:47:40.526516 IP 10.10.12.171.1514 > 10.10.13.8.58989: UDP, length 73
> 15:47:40.526567 IP 10.10.13.8 > 10.10.12.171: ICMP 10.10.13.8 udp port
> 58989 unreachable, length 109
> 15:47:41.518182 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73
> 15:47:47.518732 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73
> 15:47:59.581518 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73
> 15:48:07.897110 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73
> 15:48:14.725335 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73
> 15:48:19.395627 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73
> 15:48:25.521404 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73
> 15:48:31.522261 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73
> 15:48:35.522794 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73
>
> Any insights are appreciated.
>
> Quintin
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Agents going offline intermittnently

2016-07-19 Thread Quintin Beukes

Hi,

A few days ago some of my OSSEC agents started going offline and stop 
sending alerts, and then a long while after come back online again like 
nothing's wrong. Restarting the agents don't help fix the offline status. 
This affects both agents running through a router/firewall to reach the 
server, and agents running in the same subnet as the server.

I removed all iptables filters and did a tcpdump on both offline and online 
agents, but couldn't notice anything out of the ordinary. 

Here are packets from an offline agent showing successful traffic from 
server to client and vice versa, as well as some curious port unreachable 
errors. Even though there is traffic, the agent shows as offline and no 
alerts are generated for events on this agent.

OSSEC Server IP: 10.10.12.171
Agent IP: 10.10.13.8

agent_control -l:
   ID: 019, Name: devjerm1, IP: 10.10.13.8, Disconnected

tcpdump:
15:47:36.515777 IP 10.10.13.8 > 10.10.12.171: ICMP 10.10.13.8 udp port 
58989 unreachable, length 109 
15:47:36.517646 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73 
15:47:40.526516 IP 10.10.12.171.1514 > 10.10.13.8.58989: UDP, length 73 
15:47:40.526567 IP 10.10.13.8 > 10.10.12.171: ICMP 10.10.13.8 udp port 
58989 unreachable, length 109 
15:47:41.518182 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73 
15:47:47.518732 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73 
15:47:59.581518 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 
15:48:07.897110 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 
15:48:14.725335 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 
15:48:19.395627 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 
15:48:25.521404 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73 
15:48:31.522261 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73 
15:48:35.522794 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73

Any insights are appreciated.

Quintin

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Random OSSEC Agents Offline

2016-07-19 Thread Quintin Beukes

Hi,

A few days ago some of my OSSEC agents started going offline and stop 
sending alerts, and then a long while after come back online again like 
nothing's wrong. Restarting the agents don't help fix the offline status. 
This affects both agents running through a router/firewall to reach the 
server, and agents running in the same subnet as the server.

I removed all iptables filters and did a tcpdump on both offline and online 
agents, but couldn't notice anything out of the ordinary. 

Here are packets from an offline agent showing successful traffic from 
server to client and vice versa, as well as some curious port unreachable 
errors. Even though there is traffic, the agent shows as offline and no 
alerts are generated for events on this agent.

OSSEC Server IP: 10.10.12.171
Agent IP: 10.10.13.8

agent_control -l:
   ID: 019, Name: devjerm1, IP: 10.10.13.8, Disconnected

tcpdump:
15:47:36.515777 IP 10.10.13.8 > 10.10.12.171: ICMP 10.10.13.8 udp port 
58989 unreachable, length 109 
15:47:36.517646 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73 
15:47:40.526516 IP 10.10.12.171.1514 > 10.10.13.8.58989: UDP, length 73 
15:47:40.526567 IP 10.10.13.8 > 10.10.12.171: ICMP 10.10.13.8 udp port 
58989 unreachable, length 109 
15:47:41.518182 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73 
15:47:47.518732 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73 
15:47:59.581518 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 
15:48:07.897110 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 
15:48:14.725335 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 
15:48:19.395627 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 
15:48:25.521404 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73 
15:48:31.522261 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73 
15:48:35.522794 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73

Any insights are appreciated.

Quintin

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Custom rules to send email alerts about Chrome Remote Desktop events

2016-07-19 Thread Jesus Linares

Hi Kevin,

I added your rules to Ossec Wazuh ruleset 
. Check it out 
here: 
https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/rules/msauth_rules.xml#L961

Thanks for your contribution!.
Regards.

On Monday, June 6, 2016 at 11:49:29 PM UTC+2, Kevin Branch wrote:
>
> The news about folks getting exploited via TeamViewer made me want to get 
> proactive notification whenever any of my systems get logged into via 
> Chrome Remote Desktop.  These rules will send email alerts about failed and 
> successful logins via Chrome Remote Desktop, plus generate an OSSEC event 
> when chromoting sessions close.  Feel free to improve on them.
>
>   
> 18103
> : chromoting: \.* Access denied for client: 
> Chrome Remote Desktop attempt - access 
> denied
> alert_by_email
>   
>
>   
> 18101
> : chromoting: \.* Client connected:
> Chrome Remote Desktop attempt - connected
> alert_by_email
>   
>
>   
> 18101
> : chromoting: \.* Client disconnected:
> Chrome Remote Desktop attempt - disconnected
>   
>
> Thanks to Doug for assisting me in getting these working.
>
> Kevin Branch
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Solaris Compilation - Visibility

Re: [ossec-list] Solaris Compilation - Visibility

[ossec-list] Solaris Compilation - Visibility

Re: [ossec-list] Warning during compilations Server

Re: [ossec-list] Warning during compilations Server

[ossec-list] Warning during compilations Server

[ossec-list] DB schema

Re: [ossec-list] Agents going offline intermittnently

[ossec-list] Agents going offline intermittnently

[ossec-list] Random OSSEC Agents Offline

[ossec-list] Re: Custom rules to send email alerts about Chrome Remote Desktop events

11 matches

Site Navigation

Mail list logo

Footer information