Hi Daniel,
When the server uses local_ip x.x.150.139 (virtual interface) and a
client on a different network is set to contact the server on x.x.
150.139:
10:13:24.789953 IP xxx.xxx.135.169.32862 > xxx.xxx.150.139.1514: UDP,
length 73
10:13:24.791055 IP xxx.xxx.150.137.1514 > xxx.xxx.135.169.328
Hi Mark,
This is a networking issue common to UDP, since it is stateless and
the kernel decides on which interface
to reply, it will generally use the main (first) interface.
For example, if I setup a virtual interface in here (host ourhome):
eth0 -> 192.168.2.15
eth0:0 -> 192.168.2.77
eth0:1
Daniel,
I am pretty sure the OSSEC server is not behaving correctly.
I set the on the server to xxx.xxx.150.137 (which is the IP
attached to the physical interface. This is not what I want, but I
needed to test it).
This is a tcpdump when the server is configured for 150.137 and the
client's
I neglected to mention the IPs of the server, ovm-a
ovm-a eth0 is xxx.xxx.xxx.137
ovm-a eth0:0 is xxx.xxx.xxx.139
On Mar 18, 3:10 pm, Mark C wrote:
> Daniel,
>
> Thanks for the response! I am humbled by the lead developer helping a
> lowly user ;)
>
> It looks like you're absolutely right.
Daniel,
Thanks for the response! I am humbled by the lead developer helping a
lowly user ;)
It looks like you're absolutely right. One of my clients, named lmp-
a, is talking to the server (named ovm-a) on the server's virtual
interface (with the floating IP). However, the server is replying
sec-l...@googlegroups.com] On
Behalf Of Daniel Cid
Sent: 18 March 2009 17:04
To: ossec-list@googlegroups.com
Subject: [ossec-list] Re: Specify LISTEN IP and/or interface on the server?
Hi Rob,
Can you describe what is breaking the wui? Using a network address
range should work fine in there...
Thanks,
--
Dan
Hi Mark,
If you don't specify a local_ip in the config, it will bind to all the
interfaces. What I am thinking
is that you are having a routing issue, where ip A is receiving the
events from the agent, but
with a route configure to reply with ip B. Can you run tcpdump on both
ends (and netstat -u
. A config option to force the agent to
> use a specific IP would be better...
>
> Rob
>
> -Original Message-
> From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On
> Behalf Of Mark C
> Sent: 17 March 2009 13:47
> To: ossec-list
> Subjec
bject: [ossec-list] Re: Specify LISTEN IP and/or interface on the server?
The I was trying was the IP attached to the eth0:0
interface. And yes, I restarted both the server and clients.
I just tried entering 0.0.0.0. When starting ossec:
2009/03/17 08:43:45 ossec-config(1237): ERROR: Inval
The I was trying was the IP attached to the eth0:0
interface. And yes, I restarted both the server and clients.
I just tried entering 0.0.0.0. When starting ossec:
2009/03/17 08:43:45 ossec-config(1237): ERROR: Invalid ip address:
'0.0.0.0'.
2009/03/17 08:43:45 ossec-config(1202): ERROR: Conf
What IP did you specify with that option? I would assume setting 0.0.0.0
would allow OSSEC to listen on any IP address. You are restarting the
server after you make these changes, right?
On Mon, Mar 16, 2009 at 3:40 PM, Mark C wrote:
>
> Oh, I tried the option specified here:
> http://www.oss
Oh, I tried the option specified here:
http://www.ossec.net/main/manual/configuration-options/#remote_options
syslog
xxx.xxx.xxx.xxx
And it did not work even after restarting.
On Mar 16, 2:54 pm, Mark C wrote:
> Hi all,
>
> I've just installed OSSEC 2 on an Ubuntu 6.06 server 3
12 matches
Mail list logo