[ossec-list] Problems using multiple sid in a custom rule
Hi all, I have an strange problem. I have defined a custom rule to trigger an alert when a RBN IP comes as a srcip in my logs file. For example: group name=rbn, rule id=110008 level=14 if_sid100202,100203,100201/if_sid srcip108.60.159.33/srcip descriptionConnection from RBN IP/description /rule /group When I try to load these type of rules, this error occurred: 2012/04/02 07:47:27 ossec-analysisd: INFO: Reading rules file: 'my_rbn_rules.xml' 2012/04/02 07:47:27 ossec-remoted: INFO: Started (pid: 6387). 2012/04/02 07:47:27 ossec-remoted: Remote syslog allowed from: '192.168.44.0/24' 2012/04/02 07:47:27 ossec-remoted: INFO: Started (pid: 6389). 2012/04/02 07:47:30 ossec-syscheckd(1210): ERROR: Queue '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/04/02 07:47:30 ossec-rootcheck(1210): ERROR: Queue '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/04/02 07:47:30 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'. 2012/04/02 07:47:30 ossec-remoted(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up.. 2012/04/02 07:47:32 ossec-analysisd: INFO: Reading rules file: 'my_dshield_rules.xml' 2012/04/02 07:47:32 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml' But it is really strange, because I have another rule file (my_dshield_rules.xml) configured as the previous, and this doesn't returns any error Where is the problem?? Thanks.
Re: [ossec-list] Optimization Help for MySQL Database Containing OSSEC Alerts
Hi Chris, You mention logstash and Splunk, but have you looked at ELSA? http://code.google.com/p/enterprise-log-search-and-archive/ Regards, Doug On Sun, Apr 1, 2012 at 8:45 PM, Decker Christopher ch...@chris-decker.com wrote: All, I'm running MySQL + Apache/PHP on a very beefy box but using the out-of-box OSSEC DB schemas I'm experiencing significant latency pulling the alerts from the DB. I use the excellent OSSEC viewer (using Ext JS) [http://code.google.com/p/ossecdb-extjs/] to look at the last 30 days or so of alerts, and typically filter based on alert level. I'm not really performing complex queries, I'm merely trying to keep an eye on my servers and react as necessary. That said, I do like to keep all of the older alerts on-line to perform basic research when the need arises. I'm not a MySQL expert nor do I have any desire to be one, but timely queries of my alerts is important to me--please help! The areas I'm currently researching and would love to hear from other OSSEC users (after all, I'm not looking to re-invent the wheel here): Partitioning scheme. I'm looking for something that automatically creates partitions for each month of the year (i.e. 12 per year; when we move into a new month the new partition is created automatically). For now, the best tutorial I could find was here: http://www.kickingtyres.com/words/mysql/mysql-partition-management/ Modifications to the existing indexes. The current indexes looked fine to me, given that most of my queries are simply based on timestamp and alert level, but I thought I'd ask. I already know that there are some general optimizations I can make to MySQL that will help alleviate some of my issues, but the above areas are also of interest to me. Thanks in advance, Chris P.s. Some may read my post and wonder why I'm not using logstash or Splunk. logstash is great for queries but generally difficult to read/use for casual log reviewing (IMHO)--I am considering standing it up for more complex searching in the future. Splunk has great search capabilities and I like the overall interface, but is not open source (and I think I'll eventually hit the 500 MB/day ceiling), requires Flash to view any graphs (seems counter-productive given all of the security issues the plugin has!) and splunkd has crashed quite frequently on me. -- Doug Burks | http://securityonion.blogspot.com Don't miss SANS SEC503 Intrusion Detection In-Depth in Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members! http://augusta.issa.org/drupal/SANS-Augusta-2012
[ossec-list] ossec-analysisd: ERROR: Compiled rule not found: if_bad_useragent
Hi all,
I need a rule for Apache to check if a bad useragent like Nikto, Zeus,
WebReaper etc is crawling a webserver. Additionally I need a file where all
my forbidden useragents are listed. My first thought was to use the list
tag in a rule like this:
rule id=109005 level=14
if_sid31100/if_sid
list field=url lookup=match_keyrules/bad_useragents/list
descriptionAPACHE: A BAD USERAGENT IS CRAWLING.../description
/rule
But my problem in this solution is, that the useragent-informations in the
logs are really heavy to extract using regex with a decoder.
A sample-log looks like this one:
Mar 30 13:32:00 ossec-server apache[26757]: 192.168.0.28 - -
[30/Mar/2012:13:32:00 +0200] GET /Elv8O72e.cwr HTTP/1.1 404 272 -
Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)
and the useragent in this case is: Mozilla/4.75 (Nikto/2.1.4)
(Evasions:None) (Test:map_codes)
but with other agents it might look different. so I can't use the list-tag
because I can't extract the useragent itself
That's why I thought to use a compiled rule:
#include shared.h
#include eventinfo.h
#include config.h
#include regex.h
void *if_bad_useragent(Eventinfo *lf)
{
FILE *useragents;
useragents = fopen(/var/ossec/rules/bad_useragents,r);
char line[256];
if(useragents != NULL){
while (fgets(line,256,useragents)){
regex_t regex;
int reti;
/*DEFINE REGEX*/
reti = regcomp(regex,.*,0); // OF COURSE THIS IS NOT THE
CORRECT REGEX, BUT I USED .* TO TEST THE RULE TO BE SURE IT WILL WORK
if( reti ) { fprintf(stderr,OSSEC-HIDS:
~/ossec/ossec-hids-2.6/src/analysisd/compiled_rules/if_bad_useragent.c:
Could not compile regex\n); exit(1);}
/*EXECUTE REGEX*/
reti = regexec(regex,abc,0,NULL,0);
if(!reti){
fclose(useragents);
return(lf);
}
regfree(regex);
}
}
return(NULL);
}
I created this the file if_bad_useragent.c in src/analysisd/compiled_rules
with the content above. After that I executed the 3 following commands:
./register_rule.sh build
*Build completed.
./register_rule.sh save
*Save completed at /var/ossec/compiled_rules/
./register_rule.sh list
*Available functions:
check_id_size
comp_mswin_targetuser_calleruser_diff
comp_srcuser_dstuser
if_bad_useragent
is_simple_http_request
is_valid_crawler
But when I want to test my rule using ossec-logtest I always get the
following error:
2012/04/02 10:36:44 ossec-analysisd: ERROR: Compiled rule not found:
'if_bad_useragent'
2012/04/02 10:36:44 ossec-analysisd(1274): ERROR: Invalid configuration.
Element 'compiled_rule': if_bad_useragent.
2012/04/02 10:36:44 ossec-testrule(1220): ERROR: Error loading the rules:
'local_rules.xml'.
My installed OSSEC-Version is:
bin/ossec-analysisd -V
OSSEC HIDS v2.6 - Trend Micro Inc.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License (version 2) as
published by the Free Software Foundation. For more details, go to
http://www.ossec.net/main/license/
Does anyone has an idea what I must change?
THX in advance
P.S at the moment I'm using the following rule, which I think is quite slow
etc:
rule id=109005 level=14
if_sid31100/if_sid
matchBlackWidow|ChinaClaw|Custo|DISCo|Download
Demon|EirGrabber|EmailSiphon|EmailWolf|Express
WebPictures|ExtractorPro|EyeNetIE|FlashGet|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|GrabNet|Grafula|HMView|HTTrack|HTTrack|Image
Stripper|Image Sucker|Indy Library|Indy Library|InterGET|Internet Ninja|JOC
Web Spider|JetCar|LeechFTP|MIDown tool|Mass Downloader|Mister
PiX|Navroad|NearSite|NetAnts|NetSpider|NetZIP|Net Vampire|Octopus|Offline
Explorer|Offline Navigator|PageGrabber|Papa
Foto|ReGet|RealDownload|SiteSnagger|SmartDownload|SuperBot|SuperHTTP|Surfbot|Teleport
Pro|TurnitinBot|VoidEYE|WWWOFFLE|WebAuto|WebCopier|WebFetch|WebGo
IS|WebLeacher|WebReaper|WebSauger|WebStripper|WebWhacker|WebZIP|Web Image
Collector|Web Sucker|Website Quester|Website eXtractor|Widow|Xaldon
WebSpider|Zeus|archiverloader|casper|clshttp|cmsworldmap|curl|diavol|dotbot|eCatch|email|extract|flicky|grab|harvest|jakarta|java|kmccrew|larbin|libwww|miner|nikto|pavuk|pcBrowser|planetwork|pycurl|python|scan|skygrid|tAkeOut|wget|winhttp/match
descriptionAPACHE: A BAD USERAGENT IS CRAWLING.../description
/rule
Re: [ossec-list] ossec-analysisd: ERROR: Compiled rule not found: if_bad_useragent
Can you take a look at the file
src/analysisd/compiled_rules/compiled_rules.h to see if your new
function
is there?
Also, did you re-run make and copied the new analysisd binary to /var/ossec/bin?
*Btw, your current function is actually slower than using the match
from OSSEC. It is doing
a open+read+regex_compile on every single HTTP event and that can slow
things down. It is
better to pre-compile and keep in memory than having to do it every
time. Besides that, it
is a very good start :)
Thanks,
--
Daniel B. Cid
http://dcid.me
On Mon, Apr 2, 2012 at 7:36 AM, Stephane ewerlin...@gmail.com wrote:
Hi all,
I need a rule for Apache to check if a bad useragent like Nikto, Zeus,
WebReaper etc is crawling a webserver. Additionally I need a file where all
my forbidden useragents are listed. My first thought was to use the list
tag in a rule like this:
rule id=109005 level=14
if_sid31100/if_sid
list field=url lookup=match_keyrules/bad_useragents/list
descriptionAPACHE: A BAD USERAGENT IS CRAWLING.../description
/rule
But my problem in this solution is, that the useragent-informations in the
logs are really heavy to extract using regex with a decoder.
A sample-log looks like this one:
Mar 30 13:32:00 ossec-server apache[26757]: 192.168.0.28 - -
[30/Mar/2012:13:32:00 +0200] GET /Elv8O72e.cwr HTTP/1.1 404 272 -
Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)
and the useragent in this case is: Mozilla/4.75 (Nikto/2.1.4)
(Evasions:None) (Test:map_codes)
but with other agents it might look different. so I can't use the list-tag
because I can't extract the useragent itself
That's why I thought to use a compiled rule:
#include shared.h
#include eventinfo.h
#include config.h
#include regex.h
void *if_bad_useragent(Eventinfo *lf)
{
FILE *useragents;
useragents = fopen(/var/ossec/rules/bad_useragents,r);
char line[256];
if(useragents != NULL){
while (fgets(line,256,useragents)){
regex_t regex;
int reti;
/*DEFINE REGEX*/
reti = regcomp(regex,.*,0); // OF COURSE THIS IS NOT THE
CORRECT REGEX, BUT I USED .* TO TEST THE RULE TO BE SURE IT WILL WORK
if( reti ) { fprintf(stderr,OSSEC-HIDS:
~/ossec/ossec-hids-2.6/src/analysisd/compiled_rules/if_bad_useragent.c:
Could not compile regex\n); exit(1);}
/*EXECUTE REGEX*/
reti = regexec(regex,abc,0,NULL,0);
if(!reti){
fclose(useragents);
return(lf);
}
regfree(regex);
}
}
return(NULL);
}
I created this the file if_bad_useragent.c in src/analysisd/compiled_rules
with the content above. After that I executed the 3 following commands:
./register_rule.sh build
*Build completed.
./register_rule.sh save
*Save completed at /var/ossec/compiled_rules/
./register_rule.sh list
*Available functions:
check_id_size
comp_mswin_targetuser_calleruser_diff
comp_srcuser_dstuser
if_bad_useragent
is_simple_http_request
is_valid_crawler
But when I want to test my rule using ossec-logtest I always get the
following error:
2012/04/02 10:36:44 ossec-analysisd: ERROR: Compiled rule not found:
'if_bad_useragent'
2012/04/02 10:36:44 ossec-analysisd(1274): ERROR: Invalid configuration.
Element 'compiled_rule': if_bad_useragent.
2012/04/02 10:36:44 ossec-testrule(1220): ERROR: Error loading the rules:
'local_rules.xml'.
My installed OSSEC-Version is:
bin/ossec-analysisd -V
OSSEC HIDS v2.6 - Trend Micro Inc.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License (version 2) as
published by the Free Software Foundation. For more details, go to
http://www.ossec.net/main/license/
Does anyone has an idea what I must change?
THX in advance
P.S at the moment I'm using the following rule, which I think is quite slow
etc:
rule id=109005 level=14
if_sid31100/if_sid
matchBlackWidow|ChinaClaw|Custo|DISCo|Download
Demon|EirGrabber|EmailSiphon|EmailWolf|Express
WebPictures|ExtractorPro|EyeNetIE|FlashGet|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|GrabNet|Grafula|HMView|HTTrack|HTTrack|Image
Stripper|Image Sucker|Indy Library|Indy Library|InterGET|Internet Ninja|JOC
Web Spider|JetCar|LeechFTP|MIDown tool|Mass Downloader|Mister
PiX|Navroad|NearSite|NetAnts|NetSpider|NetZIP|Net Vampire|Octopus|Offline
Explorer|Offline Navigator|PageGrabber|Papa
Foto|ReGet|RealDownload|SiteSnagger|SmartDownload|SuperBot|SuperHTTP|Surfbot|Teleport
Pro|TurnitinBot|VoidEYE|WWWOFFLE|WebAuto|WebCopier|WebFetch|WebGo
IS|WebLeacher|WebReaper|WebSauger|WebStripper|WebWhacker|WebZIP|Web Image
Collector|Web Sucker|Website Quester|Website eXtractor|Widow|Xaldon
Re: [ossec-list] ossec-analysisd: ERROR: Compiled rule not found: if_bad_useragent
hi,
Thanks for the quick answer.
This is the content of my compiled_rules.h:
/* This file is auto generated by ./register_rule.sh. Do not touch it. */
/* Adding the function definitions. */
void *check_id_size(Eventinfo *lf);
void *comp_mswin_targetuser_calleruser_diff(Eventinfo *lf);
void *comp_srcuser_dstuser(Eventinfo *lf);
void *if_bad_useragent(Eventinfo *lf);
void *is_simple_http_request(Eventinfo *lf);
void *is_valid_crawler(Eventinfo *lf);
void *myosrule_check_url_size1024(Eventinfo *lf);
/* Adding the rules list. */
void *(compiled_rules_list[]) =
{
check_id_size,
comp_mswin_targetuser_calleruser_diff,
comp_srcuser_dstuser,
if_bad_useragent,
is_simple_http_request,
is_valid_crawler,
myosrule_check_url_size1024,
NULL
};
/* Adding the rules list names. */
char *(compiled_rules_name[]) =
{
check_id_size,
comp_mswin_targetuser_calleruser_diff,
comp_srcuser_dstuser,
if_bad_useragent,
is_simple_http_request,
is_valid_crawler,
myosrule_check_url_size1024,
NULL
};
/* EOF */
Yes, I did the make but I forget to copy the ossec-analysisd. I now copied
it, but it doesn't work neither.
Additionally, I tried to set up the sample-compiled_rule
myosrule_check_url_size1024 with the same result. It appears in the
compiled_rules.h and when I run ./register_rule.sh save it saves my files
to /var/ossec/compiled_rules.
Even with the ossec-analysisd copied to /var/ossec/bin I always get the
Compiled rule not found error.
*Thanks for the hint ;) I'll change that!!
Stephane
Am Montag, 2. April 2012 15:21:29 UTC+2 schrieb Daniel Cid:
Can you take a look at the file
src/analysisd/compiled_rules/compiled_rules.h to see if your new
function
is there?
Also, did you re-run make and copied the new analysisd binary to
/var/ossec/bin?
*Btw, your current function is actually slower than using the match
from OSSEC. It is doing
a open+read+regex_compile on every single HTTP event and that can slow
things down. It is
better to pre-compile and keep in memory than having to do it every
time. Besides that, it
is a very good start :)
Thanks,
--
Daniel B. Cid
http://dcid.me
On Mon, Apr 2, 2012 at 7:36 AM, Stephane ewerlin...@gmail.com wrote:
Hi all,
I need a rule for Apache to check if a bad useragent like Nikto, Zeus,
WebReaper etc is crawling a webserver. Additionally I need a file where
all
my forbidden useragents are listed. My first thought was to use the
list
tag in a rule like this:
rule id=109005 level=14
if_sid31100/if_sid
list field=url lookup=match_keyrules/bad_useragents/list
descriptionAPACHE: A BAD USERAGENT IS CRAWLING.../description
/rule
But my problem in this solution is, that the useragent-informations in
the
logs are really heavy to extract using regex with a decoder.
A sample-log looks like this one:
Mar 30 13:32:00 ossec-server apache[26757]: 192.168.0.28 - -
[30/Mar/2012:13:32:00 +0200] GET /Elv8O72e.cwr HTTP/1.1 404 272 -
Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)
and the useragent in this case is: Mozilla/4.75 (Nikto/2.1.4)
(Evasions:None) (Test:map_codes)
but with other agents it might look different. so I can't use the
list-tag
because I can't extract the useragent itself
That's why I thought to use a compiled rule:
#include shared.h
#include eventinfo.h
#include config.h
#include regex.h
void *if_bad_useragent(Eventinfo *lf)
{
FILE *useragents;
useragents = fopen(/var/ossec/rules/bad_useragents,r);
char line[256];
if(useragents != NULL){
while (fgets(line,256,useragents)){
regex_t regex;
int reti;
/*DEFINE REGEX*/
reti = regcomp(regex,.*,0); // OF COURSE THIS IS NOT
THE
CORRECT REGEX, BUT I USED .* TO TEST THE RULE TO BE SURE IT WILL WORK
if( reti ) { fprintf(stderr,OSSEC-HIDS:
~/ossec/ossec-hids-2.6/src/analysisd/compiled_rules/if_bad_useragent.c:
Could not compile regex\n); exit(1);}
/*EXECUTE REGEX*/
reti = regexec(regex,abc,0,NULL,0);
if(!reti){
fclose(useragents);
return(lf);
}
regfree(regex);
}
}
return(NULL);
}
I created this the file if_bad_useragent.c in
src/analysisd/compiled_rules
with the content above. After that I executed the 3 following commands:
./register_rule.sh build
*Build completed.
./register_rule.sh save
*Save completed at /var/ossec/compiled_rules/
./register_rule.sh list
*Available functions:
check_id_size
comp_mswin_targetuser_calleruser_diff
comp_srcuser_dstuser
if_bad_useragent
is_simple_http_request
is_valid_crawler
But when I want to test my rule using ossec-logtest I always get the
following error:
2012/04/02 10:36:44 ossec-analysisd: ERROR: Compiled rule not found:
[ossec-list] Re: Problems using multiple sid in a custom rule
On Mon, Apr 2, 2012 at 9:56 AM, C. L. Martinez carlopm...@gmail.com wrote: Hi all, I have an strange problem. I have defined a custom rule to trigger an alert when a RBN IP comes as a srcip in my logs file. For example: group name=rbn, rule id=110008 level=14 if_sid100202,100203,100201/if_sid srcip108.60.159.33/srcip descriptionConnection from RBN IP/description /rule /group When I try to load these type of rules, this error occurred: 2012/04/02 07:47:27 ossec-analysisd: INFO: Reading rules file: 'my_rbn_rules.xml' 2012/04/02 07:47:27 ossec-remoted: INFO: Started (pid: 6387). 2012/04/02 07:47:27 ossec-remoted: Remote syslog allowed from: '192.168.44.0/24' 2012/04/02 07:47:27 ossec-remoted: INFO: Started (pid: 6389). 2012/04/02 07:47:30 ossec-syscheckd(1210): ERROR: Queue '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/04/02 07:47:30 ossec-rootcheck(1210): ERROR: Queue '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/04/02 07:47:30 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'. 2012/04/02 07:47:30 ossec-remoted(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up.. 2012/04/02 07:47:32 ossec-analysisd: INFO: Reading rules file: 'my_dshield_rules.xml' 2012/04/02 07:47:32 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml' But it is really strange, because I have another rule file (my_dshield_rules.xml) configured as the previous, and this doesn't returns any error Where is the problem?? Thanks. Please, any ideas??
Re: [ossec-list] Problems using multiple sid in a custom rule
/var/ossec/bin/logtest -t Try troubleshooting the issue. On Apr 2, 2012 6:31 AM, C. L. Martinez carlopm...@gmail.com wrote: Hi all, I have an strange problem. I have defined a custom rule to trigger an alert when a RBN IP comes as a srcip in my logs file. For example: group name=rbn, rule id=110008 level=14 if_sid100202,100203,100201/if_sid srcip108.60.159.33/srcip descriptionConnection from RBN IP/description /rule /group When I try to load these type of rules, this error occurred: 2012/04/02 07:47:27 ossec-analysisd: INFO: Reading rules file: 'my_rbn_rules.xml' 2012/04/02 07:47:27 ossec-remoted: INFO: Started (pid: 6387). 2012/04/02 07:47:27 ossec-remoted: Remote syslog allowed from: ' 192.168.44.0/24' 2012/04/02 07:47:27 ossec-remoted: INFO: Started (pid: 6389). 2012/04/02 07:47:30 ossec-syscheckd(1210): ERROR: Queue '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/04/02 07:47:30 ossec-rootcheck(1210): ERROR: Queue '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/04/02 07:47:30 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'. 2012/04/02 07:47:30 ossec-remoted(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up.. 2012/04/02 07:47:32 ossec-analysisd: INFO: Reading rules file: 'my_dshield_rules.xml' 2012/04/02 07:47:32 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml' But it is really strange, because I have another rule file (my_dshield_rules.xml) configured as the previous, and this doesn't returns any error Where is the problem?? Thanks.
Re: [ossec-list] Large installs.
So here is my plan for a global cloud arch (systems very volitile) - Local install - Alert via Syslog to central server on dedicated facility - Local Syslog go to central server - Central console (Graylog2?) parsing all syslog for custom correlation Should scale to 10's of thousands. We'll see. Phil -- Director of Security and Compliance RightScale Inc - http://www.rightscale.com 805-243-0942 Skype: phil.cox.rs Twitter: @sec_prof
[ossec-list] agent-auth (4000 limit)
Hi: I just ran into this issue over the weekend - did you find a solution? On 2/14/12 9:54 AM, Swartz, Patrick H patrick.swa...@firstdata.com wrote: Hi Dan, Yes we use the -D option. I have reason to believe that we are hitting a hard-coded limit of 4000 in the addagent/validate.c file. Our current client.keys file is at ID 4043 for the latest entry. I'm not sure if simply modifying that amount and recompiling would be enough or are there other lines/files that need to be changed? Patrick Swartz
[ossec-list] RE: agent-auth (4000 limit)
Hi, modifying the src/addagent/validate.c file --
{
i = 1024;
snprintf(nid, 6, %d, i);
while(IDExist(nid))
{
i++;
snprintf(nid, 6, %d, i);
if(i = 9000)
{
return(NULL);
}
}
id = nid;
}
The original value is 4000, we upped that to 9000 and everything seems to be
working now.
Hope that helps,
Patrick Swartz
-Original Message-
From: Tate Hansen [mailto:t...@clearnetsec.com]
Sent: Monday, April 02, 2012 2:11 PM
To: ossec-list@googlegroups.com
Cc: Swartz, Patrick H
Subject: agent-auth (4000 limit)
Hi: I just ran into this issue over the weekend - did you find a solution?
On 2/14/12 9:54 AM, Swartz, Patrick H patrick.swa...@firstdata.com
wrote:
Hi Dan,
Yes we use the -D option. I have reason to believe that we are hitting a
hard-coded limit of 4000 in the addagent/validate.c file. Our current
client.keys file is at ID 4043 for the latest entry.
I'm not sure if simply modifying that amount and recompiling would be
enough or are there other lines/files that need to be changed?
Patrick Swartz
-
The information in this message may be proprietary and/or
confidential, and protected from disclosure. If the reader of this
message is not the intended recipient, or an employee or agent
responsible for delivering this message to the intended recipient,
you are hereby notified that any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify First Data
immediately by replying to this message and deleting it from your
computer.
