Isn't better the dst ip is always the agent (if agent-server) or the
machine (if local installation) and the src ip the ip that try to
connect or 127.0.0.1 if is something local ?
I believe that using this way is better to organize information at
BASE, right ?
--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
[EMAIL PROTECTED]
Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604
Meir Michanie wrote:
Well, well, well.
I configured remote servers to send syslog straight to ossec and then
I got a similar log entry as you reported.
I corrected ossec2mysql in order to parse the log entry.
** Alert 1158059536.19220030 : nomail
2006 Sep 12 11:12:16 92382-borch1 -> 10.116.16.32 <http://10.116.16.32>
Rule: 5109 (level 4) -> 'Kernel Input/Output error'
Src IP: (0.0.0.0 <http://0.0.0.0>)
User: (none)
kernel: end_request: I/O error, dev sdd, sector 805583239
you can fetch the latest ossec2mysql from www.riunx.com
<http://www.riunx.com> (ossec-ui)
On 9/13/06, *Meir Michanie* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
The dst is taken from the line <date> <agent> -> <log>
The src is taken from src ip line
if the alert has src ip none then I substitute that to 0.0.0.0
<http://0.0.0.0>
The destination IP value sould be parsed in the future by
ossec-hids. In the meantime dst IP is parsed as I described before.
If the alert host (the dst ip) is not an IP or the script can't
resolve to an IP, then It will copy srcip as dstip.
On 9/13/06, * Vitor Correia* < [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
hello everyone,
this question is specific to ossecgui.
does anyone know in which situations or in what conditions
will/can an ossec server report itself as being 0.0.0.0
<http://0.0.0.0> or reporting itself as being the agent's ip?
this is happening specially with ssh connections from machine1
to ossec server.
if i logon through ssh from ossecserver to ossecserver it
reports as it should:
src ip dest ip
'SSHD authentication success.' 2006-09-13 11:50:18 10.0.7.220
<http://webappserver/ossecbase/base_stat_ipaddr.php?ip=10.0.3.220&netmask=32>
10.0.7.220
<http://webappserver/ossecbase/base_stat_ipaddr.php?ip=10.0.3.220&netmask32>
but if i logon from another machine it doesn't:
src ip dest ip
SSHD authentication success.' 2006-09-13 11:47:40 10.0.7.43
<http://webappserver/ossecbase/base_stat_ipaddr.php?ip=10.0.3.43&netmask=32>
10.0.7.43
<http://webappserver/ossecbase/base_stat_ipaddr.php?ip=10.0.3.43&netmask32>
- the src should be 10.0.7.43 <http://10.0.7.43> & dest should
be 10.0.7.220 <http://10.0.7.220>
background info: this ossecserver is also a central syslog
server, listening to network syslogs from other machines and
reporting them to ossecgui, using the latest ossecgui snapshot
and the latest stable ossec-hids.
for those of you who have been following my questions on this
suject, i've pretty much managed to work it out, yey!! :) more
on that as (including my installation procedure) as soon as i
iron out this issue.
now, i don't think i've forgotten to mention anything of
importance, what do you think?
./vcorreia
Vitor Correia
Systems Administrator
--
Mobbit Systems
[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> | Telemóvel: + 351 916 448 025
Avenida do Forte, 8 - 1º Andar - Frente 01 - 2795-503 Carnaxide
Telefone: + 351 21 418 01 40 | Fax: + 351 21 418 01 41
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> | www.mobbit.net
<http://www.mobbit.net>
,-O
O(_)) for a better world
`-O
