Isn't better the dst ip is always the agent (if agent-server) or the machine (if local installation) and the src ip the ip that try to connect or 127.0.0.1 if is something local ?

I believe that using this way is better to organize information at BASE, right ?

--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
[EMAIL PROTECTED]

Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604



Meir Michanie wrote:
Well, well, well.
I configured remote servers to send syslog straight to ossec and then I got a similar log entry as you reported.
I corrected ossec2mysql in order to parse the log entry.

** Alert 1158059536.19220030 :    nomail
2006 Sep 12 11:12:16 92382-borch1 -> 10.116.16.32 <http://10.116.16.32>
Rule: 5109 (level 4) -> 'Kernel Input/Output error'
Src IP: (0.0.0.0 <http://0.0.0.0>)
User: (none)
kernel: end_request: I/O error, dev sdd, sector 805583239

you can fetch the latest ossec2mysql from www.riunx.com <http://www.riunx.com> (ossec-ui)

On 9/13/06, *Meir Michanie* <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:

    The dst is taken from the line <date> <agent> -> <log>
    The src is taken from src ip line
    if the alert has src ip none then I substitute that to 0.0.0.0
    <http://0.0.0.0>
    The destination IP value sould be parsed in the future by
    ossec-hids. In the meantime dst IP is parsed as I described before.
    If the alert host (the dst ip) is not an IP or the script can't
    resolve to an IP, then It will copy srcip as dstip.


    On 9/13/06, * Vitor Correia* < [EMAIL PROTECTED]
    <mailto:[EMAIL PROTECTED]>> wrote:

        hello everyone,

        this question is specific to ossecgui.

        does anyone know in which situations or in what conditions
        will/can an ossec server report itself as being 0.0.0.0
        <http://0.0.0.0> or reporting itself as being the agent's ip?

        this is happening specially with ssh connections from machine1
        to ossec server.



        if i logon through ssh from ossecserver to ossecserver it
        reports as it should:

src ip dest ip
        'SSHD authentication success.' 2006-09-13 11:50:18 10.0.7.220
        
<http://webappserver/ossecbase/base_stat_ipaddr.php?ip=10.0.3.220&netmask=32>
        10.0.7.220
        
<http://webappserver/ossecbase/base_stat_ipaddr.php?ip=10.0.3.220&netmask32>


        but if i logon from another machine it doesn't:

src ip dest ip
        SSHD authentication success.' 2006-09-13 11:47:40 10.0.7.43
        
<http://webappserver/ossecbase/base_stat_ipaddr.php?ip=10.0.3.43&netmask=32>
        10.0.7.43
        
<http://webappserver/ossecbase/base_stat_ipaddr.php?ip=10.0.3.43&netmask32>

        - the src should be 10.0.7.43 <http://10.0.7.43> & dest should
        be 10.0.7.220 <http://10.0.7.220>

        background info: this ossecserver is also a central syslog
        server, listening to network syslogs from other machines and
        reporting them to ossecgui, using the latest ossecgui snapshot
        and the latest stable ossec-hids.

        for those of you who have been following my questions on this
        suject, i've pretty much managed to work it out, yey!! :) more
        on that as (including my installation procedure) as soon as i
        iron out this issue.

        now, i don't think i've forgotten to mention anything of
        importance, what do you think?


        ./vcorreia

        Vitor Correia
        Systems Administrator
--
        Mobbit Systems

        [EMAIL PROTECTED]

         <mailto:[EMAIL PROTECTED]> | Telemóvel: + 351 916 448 025

        Avenida do Forte, 8 - 1º Andar - Frente 01 -  2795-503 Carnaxide
        Telefone: + 351 21 418 01 40 | Fax:  + 351 21 418 01 41


        [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> | www.mobbit.net 
<http://www.mobbit.net>

,-O O(_)) for a better world `-O



Reply via email to