[ossec-list] Re: Agent issue

Fri, 26 Jan 2007 06:52:04 -0800 

Its solved!, the problem was with an iptables rule in the wrong
position.

Now i have the agent connected, with tcpdump i see traffic, but i get no
alerts from the agent, i have tried some ssh bruteforce and i never got
the alert.

Cheers!
On Thu, 2007-01-25 at 23:27 -0400, Daniel Cid wrote:
> Hi Nicolas,
> 
> Since your agent is using a public IP (outside network) and your
> server is in the inside,
> you need to:
> 
> -Allow UDP port 1514 in the external firewall (looks like you did that 
> already).
> -Allow UDP port 1514 in any personal firewall on the ossec server (tcpdump 
> reads
> before iptables).
> -Make sure your agent firewall allows UDP 1514 outbound connections to
> the server
> (using proper stateful filtering to allow replies back).
> -Do the proper port forwarding/natting in the external firewall to the
> ossec server.
> 
> Hope it helps.
> 
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
> 
> 
> On 1/25/07, Nicolas Arias <[EMAIL PROTECTED]> wrote:
> >
> > Hello guys!! im having some troubles with an agent. I dont recieve any
> > event.
> >
> > Agent is installed in a server with a public ip.
> > Server is in a lan server.
> > Port 1514 udp is forwarded from my corp firewall to my ossec server
> >
> > Ossec agent logfile:
> >
> > 2007/01/25 11:09:07 ossec-agentd(4101): Waiting for server reply (not
> > started).
> >
> > nc from server to agent works:
> >
> > [EMAIL PROTECTED] ~]# nc -u xx.xx.xx.xx 1514
> > this is a test and is driving me crazy
> >
> > [EMAIL PROTECTED] [/var/ossec/logs]# nc -u -l -p 1514
> > this is a test and is driving me crazy
> >
> > nc from agent to server doesnt works.
> >
> > tcpdump:
> >
> > from agent:
> > 10:49:10.711042 IP agent.ip.51127 > server.ip.ossec: UDP, length 73
> >
> > from server:
> > 13:50:32.366943 IP agent.ip.51127 > server.ip.1514: UDP, length 73
> >
> > netstat -nlu from the agent:
> > udp        0      0 0.0.0.0:514                 0.0.0.0:*
> > udp        0      0 xx.xx.xxx.xxx:53             0.0.0.0:*
> > udp        0      0 127.0.0.1:53                0.0.0.0:*
> > udp        0      0 127.0.0.1:48214             0.0.0.0:*
> > udp        0      0 127.0.0.1:48215             0.0.0.0:*
> > udp        0      0 127.0.0.1:48216             0.0.0.0:*
> > udp        0      0 127.0.0.1:48217             0.0.0.0:*
> > udp        0      0 127.0.0.1:48218             0.0.0.0:*
> > udp        0      0 127.0.0.1:48220             0.0.0.0:*
> > udp        0      0 0.0.0.0:34786               0.0.0.0:*
> > udp        0      0 :::1162                     :::*
> > udp        0      0 :::49694                    :::*
> > udp        0      0 :::34787                    :::*
> >
> >
> > lsof -i udp from agent:
> >
> > ossec-age  7195  ossec    7u  IPv4 1294991       UDP
> > agent.ip:51127->server.ip:ossec
> >
> >
> >
> > Any clue???
> >
> > thanks guys!
> >
> >
> >
> >
> >

Reply via email to