[ossec-list] Active Response Error
I'm on v.2.8.3 and trying to get active response configured for my OSSEC server. I get the error "ossec-config(1303): ERROR: Invalid command 'firewall-drop' in the active response" after restart. I checked the permission for ar.conf, which is chowned root/ossec. . I place "firewall-drop600 - firewall-drop.sh - 600" in ar.conf, however the file is cleared after OSSEC restarts. Prior to restart, /var/ossec/bin/agent_control -L shows the valid response options, but after restart nothing is visible. Here's my ossec.conf, which I've tried several options from examples online: no firewall-drop all 5712 600 Any help appreciated! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] A
a -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Active Response Error
Yes I do. Restarting OSSEC: ossec-config(1303): ERROR: Invalid command 'firewall-drop' in the active response. ossec-config(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. ossec-analysisd(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. # cat ar.conf restart-ossec0 - restart-ossec.sh - 0 restart-ossec0 - restart-ossec.cmd - 0 (and if I add 'firewall-drop600 - firewall-drop.sh - 600' in ar.conf, it is cleared and resets to the above after restart) # /var/ossec/bin/agent_control -L OSSEC HIDS agent_control. Available active responses: On Tuesday, December 29, 2015 at 1:18:05 PM UTC-5, dan (ddpbsd) wrote: > > On Tue, Dec 29, 2015 at 1:07 PM, Cal > > wrote: > > I'm on v.2.8.3 and trying to get active response configured for my OSSEC > > server. I get the error "ossec-config(1303): ERROR: Invalid command > > 'firewall-drop' in the active response" after restart. I checked the > > permission for ar.conf, which is chowned root/ossec. . I place > > "firewall-drop600 - firewall-drop.sh - 600" in ar.conf, however the file > is > > cleared after OSSEC restarts. Prior to restart, > /var/ossec/bin/agent_control > > -L shows the valid response options, but after restart nothing is > visible. > > > > Here's my ossec.conf, which I've tried several options from examples > online: > > > > > > no > > firewall-drop > > all > > 5712 > > 600 > > > > > > Any help appreciated! > > > > Do you have this in your ossec.conf: > > firewall-drop > firewall-drop.sh > srcip > yes > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Active Response Error
Thanks for the feedback. I double checked my firewall-drop line and found a typo in the tag. Thanks! On Tuesday, December 29, 2015 at 1:18:05 PM UTC-5, dan (ddpbsd) wrote: > > On Tue, Dec 29, 2015 at 1:07 PM, Cal > > wrote: > > I'm on v.2.8.3 and trying to get active response configured for my OSSEC > > server. I get the error "ossec-config(1303): ERROR: Invalid command > > 'firewall-drop' in the active response" after restart. I checked the > > permission for ar.conf, which is chowned root/ossec. . I place > > "firewall-drop600 - firewall-drop.sh - 600" in ar.conf, however the file > is > > cleared after OSSEC restarts. Prior to restart, > /var/ossec/bin/agent_control > > -L shows the valid response options, but after restart nothing is > visible. > > > > Here's my ossec.conf, which I've tried several options from examples > online: > > > > > > no > > firewall-drop > > all > > 5712 > > 600 > > > > > > Any help appreciated! > > > > Do you have this in your ossec.conf: > > firewall-drop > firewall-drop.sh > srcip > yes > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Active Response Error
Yes, the script worked! Just fat fingered the tag. On Tuesday, December 29, 2015 at 5:25:20 PM UTC-5, dan (ddpbsd) wrote: > > > On Dec 29, 2015 3:31 PM, "Cal" > wrote: > > > > Yes I do. > > > > Restarting OSSEC: > > ossec-config(1303): ERROR: Invalid command 'firewall-drop' in the active > response. > > ossec-config(1202): ERROR: Configuration error at > '/var/ossec/etc/ossec.conf'. Exiting. > > ossec-analysisd(1202): ERROR: Configuration error at > '/var/ossec/etc/ossec.conf'. Exiting. > > > > > > # cat ar.conf > > restart-ossec0 - restart-ossec.sh - 0 > > restart-ossec0 - restart-ossec.cmd - 0 > > (and if I add 'firewall-drop600 - firewall-drop.sh - 600' in ar.conf, it > is cleared and resets to the above after restart) > > > > Because you don't modify that file, ossec should fill it in. > Since you said the command block I pasted is in your ossec.conf, can you > make sure the script exists? Is it executable? > > > > > # /var/ossec/bin/agent_control -L > > OSSEC HIDS agent_control. Available active responses: > > > > On Tuesday, December 29, 2015 at 1:18:05 PM UTC-5, dan (ddpbsd) wrote: > >> > >> On Tue, Dec 29, 2015 at 1:07 PM, Cal wrote: > >> > I'm on v.2.8.3 and trying to get active response configured for my > OSSEC > >> > server. I get the error "ossec-config(1303): ERROR: Invalid command > >> > 'firewall-drop' in the active response" after restart. I checked the > >> > permission for ar.conf, which is chowned root/ossec. . I place > >> > "firewall-drop600 - firewall-drop.sh - 600" in ar.conf, however the > file is > >> > cleared after OSSEC restarts. Prior to restart, > /var/ossec/bin/agent_control > >> > -L shows the valid response options, but after restart nothing is > visible. > >> > > >> > Here's my ossec.conf, which I've tried several options from examples > online: > >> > > >> > > >> > no > >> > firewall-drop > >> > all > >> > 5712 > >> > 600 > >> > > >> > > >> > Any help appreciated! > >> > > >> > >> Do you have this in your ossec.conf: > >> > >> firewall-drop > >> firewall-drop.sh > >> srcip > >> yes > >> > >> > >> > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Active Response Error
And thanks for your help! On Tuesday, December 29, 2015 at 5:57:16 PM UTC-5, Cal wrote: > > Yes, the script worked! Just fat fingered the tag. > > On Tuesday, December 29, 2015 at 5:25:20 PM UTC-5, dan (ddpbsd) wrote: >> >> >> On Dec 29, 2015 3:31 PM, "Cal" wrote: >> > >> > Yes I do. >> > >> > Restarting OSSEC: >> > ossec-config(1303): ERROR: Invalid command 'firewall-drop' in the >> active response. >> > ossec-config(1202): ERROR: Configuration error at >> '/var/ossec/etc/ossec.conf'. Exiting. >> > ossec-analysisd(1202): ERROR: Configuration error at >> '/var/ossec/etc/ossec.conf'. Exiting. >> > >> > >> > # cat ar.conf >> > restart-ossec0 - restart-ossec.sh - 0 >> > restart-ossec0 - restart-ossec.cmd - 0 >> > (and if I add 'firewall-drop600 - firewall-drop.sh - 600' in ar.conf, >> it is cleared and resets to the above after restart) >> > >> >> Because you don't modify that file, ossec should fill it in. >> Since you said the command block I pasted is in your ossec.conf, can you >> make sure the script exists? Is it executable? >> >> > >> > # /var/ossec/bin/agent_control -L >> > OSSEC HIDS agent_control. Available active responses: >> > >> > On Tuesday, December 29, 2015 at 1:18:05 PM UTC-5, dan (ddpbsd) wrote: >> >> >> >> On Tue, Dec 29, 2015 at 1:07 PM, Cal wrote: >> >> > I'm on v.2.8.3 and trying to get active response configured for my >> OSSEC >> >> > server. I get the error "ossec-config(1303): ERROR: Invalid command >> >> > 'firewall-drop' in the active response" after restart. I checked the >> >> > permission for ar.conf, which is chowned root/ossec. . I place >> >> > "firewall-drop600 - firewall-drop.sh - 600" in ar.conf, however the >> file is >> >> > cleared after OSSEC restarts. Prior to restart, >> /var/ossec/bin/agent_control >> >> > -L shows the valid response options, but after restart nothing is >> visible. >> >> > >> >> > Here's my ossec.conf, which I've tried several options from examples >> online: >> >> > >> >> > >> >> > no >> >> > firewall-drop >> >> > all >> >> > 5712 >> >> > 600 >> >> > >> >> > >> >> > Any help appreciated! >> >> > >> >> >> >> Do you have this in your ossec.conf: >> >> >> >> firewall-drop >> >> firewall-drop.sh >> >> srcip >> >> yes >> >> >> >> >> >> >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send an >> >> > email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Couple of agents unable to connect to server
I have about 20 OSSEC agents connected to my OSSEC server without issue. There are approximately 6 however that cannot connect. I'm using a non-default port of 1520. Note: All IPs replaced here for OPSEC. Logs: - Agent: - 2016/01/04 11:12:23 ossec-agentd: INFO: Using IPv4 for: SERVER_IP . 2016/01/04 11:12:44 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'SERVER_IP'. - Server: - Nothing outside the standard output, even with debug enabled What I've done so far: - Added rules into iptables to allow communication on both agent/sever - TCPdump confirming on agent that it is sending packet - TCPdump confirming on server that it is receiving agent packet - Netcat on both server/agent: - netcat -uv SERVER_IP 1520 Connection to SERVER_IP 1520 port [udp/*] succeeded! - netcat -uv AGENT_IP1520 Connection to AGENT_IP 1520 port [udp/*] succeeded! ossec.conf: - SERVER_IP 1520 secure tcp 1520 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Couple of agents unable to connect to server
Also, from agent: # netstat -panu | grep 1520 udp0 0 AGENT_IP:43737 SERVER_IP:1520 ESTABLISHED 30669/ossec-agentd On Monday, January 4, 2016 at 12:25:02 PM UTC-5, Cal wrote: > > I have about 20 OSSEC agents connected to my OSSEC server without issue. > There are approximately 6 however that cannot connect. I'm using a > non-default port of 1520. Note: All IPs replaced here for OPSEC. > > Logs: > >- Agent: > - 2016/01/04 11:12:23 ossec-agentd: INFO: Using IPv4 for: SERVER_IP > . > 2016/01/04 11:12:44 ossec-agentd(4101): WARN: Waiting for server > reply (not started). Tried: 'SERVER_IP'. >- Server: > - Nothing outside the standard output, even with debug enabled > > > What I've done so far: > >- Added rules into iptables to allow communication on both agent/sever >- TCPdump confirming on agent that it is sending packet >- TCPdump confirming on server that it is receiving agent packet >- Netcat on both server/agent: > - netcat -uv SERVER_IP 1520 > Connection to SERVER_IP 1520 port [udp/*] succeeded! > - netcat -uv AGENT_IP1520 > Connection to AGENT_IP 1520 port [udp/*] succeeded! > > ossec.conf: > >- > >SERVER_IP >1520 > > >secure >tcp >1520 > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Couple of agents unable to connect to server
Found a solution, thinking it might be a key issue. On one server, I had to chmod the keys file, which allowed the agent to connect. I tried re-adding the existing key to the other agents and configuring the permissions without anything working. Finally, I re-issued the keys for the disconnect clients, and all connected after restart. Not sure what the issue was. On Monday, January 4, 2016 at 12:35:44 PM UTC-5, Cal wrote: > > Also, from agent: > > # netstat -panu | grep 1520 > udp0 0 AGENT_IP:43737 SERVER_IP:1520 ESTABLISHED > 30669/ossec-agentd > > On Monday, January 4, 2016 at 12:25:02 PM UTC-5, Cal wrote: >> >> I have about 20 OSSEC agents connected to my OSSEC server without issue. >> There are approximately 6 however that cannot connect. I'm using a >> non-default port of 1520. Note: All IPs replaced here for OPSEC. >> >> Logs: >> >>- Agent: >> - 2016/01/04 11:12:23 ossec-agentd: INFO: Using IPv4 for: >> SERVER_IP . >> 2016/01/04 11:12:44 ossec-agentd(4101): WARN: Waiting for server >> reply (not started). Tried: 'SERVER_IP'. >>- Server: >> - Nothing outside the standard output, even with debug enabled >> >> >> What I've done so far: >> >>- Added rules into iptables to allow communication on both agent/sever >>- TCPdump confirming on agent that it is sending packet >>- TCPdump confirming on server that it is receiving agent packet >>- Netcat on both server/agent: >> - netcat -uv SERVER_IP 1520 >> Connection to SERVER_IP 1520 port [udp/*] succeeded! >> - netcat -uv AGENT_IP1520 >> Connection to AGENT_IP 1520 port [udp/*] succeeded! >> >> ossec.conf: >> >>- >> >>SERVER_IP >>1520 >> >> >>secure >>tcp >>1520 >> >> >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Agents not connecting, traffic visible in tcpdump
Hi all, Been debugging an issue for a few hours, thought I'd ask for another opinion. The situation: I have an OSSEC server with approximately 70 agents connected and 15 or so that won't connect. Tested so far: Tcpdump shows UDP packets from both OSSEC agents and server (running on non-standard port 1520) Traceroute from agent to server and other direction, no problem Can ping the server from agent Can ping the agent from server Ex: server: 15:51:00.135367 IP 172.28.156.XX.60625 > 172.28.29.XX.1520: UDP, length 73 agent: 15:51:00.135916 IP 172.28.156.XX.60625 > 172.28.29.XX.1520: UDP, length 73 I've tried re-adding the keys to agents several times. Enabled debugging on server, but only noted logs are from the agent: 2016/08/02 15:56:39 ossec-agentd: INFO: Trying to connect to server (172.28.29.XX:1520). 2016/08/02 15:56:39 ossec-agentd: INFO: Using IPv4 for: 172.28.29.XX Any ideas where to look next? I've also tried removing the agents, re-adding, re-installing, etc. Thank you! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Agents not connecting, traffic visible in tcpdump
Pedro, Awesome! Your method worked flawlessly. Thanks! Cal On Tuesday, August 2, 2016 at 8:51:59 PM UTC-4, Pedro S wrote: > > Hi Cal, > > > Try disabling counters. They lose synchronisation specially when agents > are reinstalled. > Edit /var/ossec/etc/internal_options.conf and set > "remoted.verify_msg_id=0", both agent & manager. > > Enable debug mode on both hosts, open internal_options and set debug to > level 2 (specially in remoted.debug variable). > > Sometimes the problem could be related with NAT, try adding the agent with > "any" option and test if it works (use manage_agent and when prompting for > IP enter "any"). > > Open etc/client.keys on OSSEC Manager (be careful! this file is critical) > and remove duplicated entries, the agent will fail to connect if there is > more than one entry with the same IP. > > Hope it helps, > > best regards, > > Pedro S. > > > > On Tuesday, August 2, 2016 at 2:08:14 PM UTC-7, Cal wrote: >> >> Hi all, >> >> Been debugging an issue for a few hours, thought I'd ask for another >> opinion. >> >> The situation: >> I have an OSSEC server with approximately 70 agents connected and 15 or >> so that won't connect. >> >> Tested so far: >> Tcpdump shows UDP packets from both OSSEC agents and server (running on >> non-standard port 1520) >> Traceroute from agent to server and other direction, no problem >> Can ping the server from agent >> Can ping the agent from server >> >> Ex: >> server: >> 15:51:00.135367 IP 172.28.156.XX.60625 > 172.28.29.XX.1520: UDP, length 73 >> >> agent: >> 15:51:00.135916 IP 172.28.156.XX.60625 > 172.28.29.XX.1520: UDP, length 73 >> >> I've tried re-adding the keys to agents several times. Enabled debugging >> on server, but only noted logs are from the agent: >> 2016/08/02 15:56:39 ossec-agentd: INFO: Trying to connect to server >> (172.28.29.XX:1520). >> 2016/08/02 15:56:39 ossec-agentd: INFO: Using IPv4 for: 172.28.29.XX >> >> Any ideas where to look next? I've also tried removing the agents, >> re-adding, re-installing, etc. >> >> Thank you! >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Agents not connecting, traffic visible in tcpdump
Pedro, Maybe I spoke too soon. It worked for most of the agents, but I have a few stubborn ones having the same issues. I tried the steps you outline earlier that worked on the other agents, but not on these. Any other ideas for something I could be missing? Thanks again! On Wednesday, August 3, 2016 at 1:48:40 PM UTC-4, Cal wrote: > > Pedro, > > Awesome! Your method worked flawlessly. Thanks! > > Cal > > On Tuesday, August 2, 2016 at 8:51:59 PM UTC-4, Pedro S wrote: >> >> Hi Cal, >> >> >> Try disabling counters. They lose synchronisation specially when agents >> are reinstalled. >> Edit /var/ossec/etc/internal_options.conf and set >> "remoted.verify_msg_id=0", both agent & manager. >> >> Enable debug mode on both hosts, open internal_options and set debug to >> level 2 (specially in remoted.debug variable). >> >> Sometimes the problem could be related with NAT, try adding the agent >> with "any" option and test if it works (use manage_agent and when prompting >> for IP enter "any"). >> >> Open etc/client.keys on OSSEC Manager (be careful! this file is critical) >> and remove duplicated entries, the agent will fail to connect if there is >> more than one entry with the same IP. >> >> Hope it helps, >> >> best regards, >> >> Pedro S. >> >> >> >> On Tuesday, August 2, 2016 at 2:08:14 PM UTC-7, Cal wrote: >>> >>> Hi all, >>> >>> Been debugging an issue for a few hours, thought I'd ask for another >>> opinion. >>> >>> The situation: >>> I have an OSSEC server with approximately 70 agents connected and 15 or >>> so that won't connect. >>> >>> Tested so far: >>> Tcpdump shows UDP packets from both OSSEC agents and server (running on >>> non-standard port 1520) >>> Traceroute from agent to server and other direction, no problem >>> Can ping the server from agent >>> Can ping the agent from server >>> >>> Ex: >>> server: >>> 15:51:00.135367 IP 172.28.156.XX.60625 > 172.28.29.XX.1520: UDP, length >>> 73 >>> >>> agent: >>> 15:51:00.135916 IP 172.28.156.XX.60625 > 172.28.29.XX.1520: UDP, length >>> 73 >>> >>> I've tried re-adding the keys to agents several times. Enabled debugging >>> on server, but only noted logs are from the agent: >>> 2016/08/02 15:56:39 ossec-agentd: INFO: Trying to connect to server >>> (172.28.29.XX:1520). >>> 2016/08/02 15:56:39 ossec-agentd: INFO: Using IPv4 for: 172.28.29.XX >>> >>> Any ideas where to look next? I've also tried removing the agents, >>> re-adding, re-installing, etc. >>> >>> Thank you! >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.