[ossec-list] Re: ossec server reporting itself as 0.0.0.0 and more

Thu, 14 Sep 2006 08:32:06 -0700
i got the ossec-ui-latest.tar.bz2 <http://www.riunx.com/public/ossec-ui-latest.tar.bz2> at www.riunx.com <http://www.riunx.com> and do this: 
* mysql base -p < ossec2base.sql
* mysql base -p < snort_tables.sql
* mysql base -p < trunc_ossecbase.sql
* cp ossec2mysqld.pl ossec2mysql.pl ossec2basetxt.pl /usr/local/bin/
* cat rules/*.xml |ossec2basetxt.pl -e -o /usr/share/base-php4/signatures/
* echo 'TRUNCATE TABLE `signature` ;' | mysql base -p
* echo 'TRUNCATE TABLE `sensor` ;' | mysql base -p
* echo 'TRUNCATE TABLE `acid_event` ;' | mysql base -p
* echo 'TRUNCATE TABLE `events` ;' | mysql base -p
* echo 'TRUNCATE TABLE `event` ;' | mysql base -p
* echo 'TRUNCATE TABLE `data` ;' | mysql base -p
* cat /opt/ossec/logs/alerts/2006/Jul/ossec-alerts-31.log |ossec2mysql.pl --interface manualfeed 
   when i try to import the logs (last command) i got the follow error:
Global symbol "$alerthostip" requires explicit package name at /usr/local/bin/ossec2mysql.pl line 206. Global symbol "$alerthostip" requires explicit package name at /usr/local/bin/ossec2mysql.pl line 207. Global symbol "$alerthostip" requires explicit package name at /usr/local/bin/ossec2mysql.pl line 208. Global symbol "$alerthostip" requires explicit package name at /usr/local/bin/ossec2mysql.pl line 246. Global symbol "$alerthostip" requires explicit package name at /usr/local/bin/ossec2mysql.pl line 279. Execution of /usr/local/bin/ossec2mysql.pl aborted due to compilation errors. 

   i forgot to do something?



--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
[EMAIL PROTECTED]

Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604



Meir Michanie wrote:

yes, I removed from cvs ossec2base and now is a link to ossec2mysql



On 9/14/06, *Leonardo Goldim* <[EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]>> wrote:



    ossec2mysql and ossec2base/ossec-ui are the same ?

    --
    ________________________________________
    Leonardo Goldim - Auditoria Intranetworks
    [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>

    Intranetworks
    Rua Marquês do Pombal 1710/805
    Porto Alegre - RS - 90540-000
    +55 51 3325-5700
    +55 51 8415-8604



    Meir Michanie wrote:
    > Leonardo, get the last ossec2mysql from cvs or from
    www.riunx.com <http://www.riunx.com>
    > <http://www.riunx.com <http://www.riunx.com>>
    >
    > Vitor:
    > it seems that your alert logs shows that the log was generated
    by the
    > agent.
    > We have to work to make ossec-hids report dstip by parsing the event
    > and reporting it to the log, so I do not have to make it up.
    >
    > On 9/14/06, *Leonardo Goldim* <[EMAIL PROTECTED]
    <mailto:[EMAIL PROTECTED]>
    > <mailto:[EMAIL PROTECTED]
    <mailto:[EMAIL PROTECTED]> >> wrote:
    >
    >
    >     sorry, but i don't understand your answer ...
    >     like is today, the dstip is the agent ip ?
    >     in my base, the dstip and the srcip are the same, it's right ?
    >
    >     --
    >     ________________________________________
    >     Leonardo Goldim - Auditoria Intranetworks
    >     [EMAIL PROTECTED]
    <mailto:[EMAIL PROTECTED]> <mailto:
    [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
    >
    >     Intranetworks
    >     Rua Marquês do Pombal 1710/805
    >     Porto Alegre - RS - 90540-000
    >     +55 51 3325-5700
    >     +55 51 8415-8604
    >
    >
    >
    >     Meir Michanie wrote:
    >     >
    >     >
    >     > On 9/14/06, *Leonardo Goldim* <[EMAIL PROTECTED]
    <mailto:[EMAIL PROTECTED]>
    >     <mailto:[EMAIL PROTECTED]
    <mailto:[EMAIL PROTECTED]>>
    >     > <mailto:[EMAIL PROTECTED]
    <mailto:[EMAIL PROTECTED]>
    >     <mailto: [EMAIL PROTECTED]
    <mailto:[EMAIL PROTECTED]>>>> wrote:
    >     >
    >     >
    >     >     my idea to use the real ip instead 0.0.0.0
    <http://0.0.0.0> <http://0.0.0.0>
    >     <http://0.0.0.0> is to
    >     >     organize the alerts at
    >     >     base ...
    >     >     for example, i have a server that monitor many agents
    ... using
    >     >     base for
    >     >     analise the alerts, i can' t order by host, the alerts are
    >     mixed ...
    >     >
    >     >
    >     > Why not? the agent is the dst ip. sort by dstip.
    >     >
    >     >
    >     >     if use the dstip like real ip, i can go to dest ip
    addrs ->
    >     select
    >     >     an ip
    >     >     and i got all the alerts from that host, it's possible
    make this
    >     >     comparison that you explain using the srcip like
    0.0.0.0 <http://0.0.0.0>
    >     <http://0.0.0.0>
    >     >     < http://0.0.0.0> or real ip ...
    >     >
    >     > The dst ip is the one who has logged the event
    >     > and src ip is either a know network real IP or null if unknown
    >     or not
    >     > network related.
    >
    >


























					Reply via email to