[ossec-list] Re: ossec-remoted misreporting

Thu, 24 Aug 2006 09:24:31 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

gentuxx wrote:
> Hi all,
> 
> I've got one agent that is being reported as not allowed by
> ossec-remoted on the server.  It is whitelisted in the server config.
> 
> Any ideas on why this might be happening and/or how to troubleshoot it?
> 


Sorry for the repeated self-posts.....

Now, I'm getting the following entries in ossec.log:

2006/08/24 09:19:49 ossec-remoted(1403): Incorrectly formated message
from '192.168.0.200'.
2006/08/24 09:19:49 ossec-remoted(1403): Incorrectly formated message
from '192.168.0.200'.
2006/08/24 09:19:49 ossec-remoted(1403): Incorrectly formated message
from '192.168.0.200'.
2006/08/24 09:19:49 ossec-remoted(1403): Incorrectly formated message
from '192.168.0.200'.
2006/08/24 09:19:49 ossec-remoted(1403): Incorrectly formated message
from '192.168.0.200'.
2006/08/24 09:19:49 ossec-remoted(1406): Checksum mismatch on message
from '192.168.0.200'.
2006/08/24 09:19:49 ossec-remoted(1403): Incorrectly formated message
from '192.168.0.200'.
2006/08/24 09:19:52 ossec-remoted(1403): Incorrectly formated message
from '192.168.0.200'.
2006/08/24 09:19:52 ossec-remoted(1403): Incorrectly formated message
from '192.168.0.200'.
2006/08/24 09:19:52 ossec-remoted(1403): Incorrectly formated message
from '192.168.0.200'.
2006/08/24 09:19:52 ossec-remoted(1403): Incorrectly formated message
from '192.168.0.200'.


Since the comms between server and agent are encrypted, sniffing the
traffic won't work.  The only thing I can think of is that the agent is
a SPARC system and the server is x86.  Would this make any difference in
terms of "endian-ness" or anything like that?  (IIRC SPARC's are
big-endian and x86's are little-endian.)

Both are running gentoo linux and ossec-0.9-1.
- --
gentux
echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'

gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239  D840 4CF0 39E2
18D3 4A9E
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE7dJ6TPA54hjTSp4RAl+rAJ0dYb+ZcLSSmMs2zfnl1HaA2+5QhACfQ1A4
eAtU1g/Zo6VYJwauIIv6Sc8=
=p16o
-----END PGP SIGNATURE-----

Reply via email to