On Mar 10, 8:55 am, Philipp <[email protected]> wrote:
> hi,
<snip>
> interesting! do you have a decoder/rules for foundry equipment?
> and are you willing to share ;)
>
> cheeers
> philipp
With agentless monitoring I have been able to successfully monitor
some Foundry equipment for config changes. I did have to modify the
existing ssh_generic_diff found in /var/ossec/agentless. I copied
ssh_generic_diff to ssh_foundry_diff and made the following changes:
--- ssh_generic_diff 2009-01-29 09:05:43.000000000 -0700
+++ ssh_foundry_diff 2009-03-09 11:05:09.000000000 -0600
@@ -28,9 +28,14 @@
source $sshsrc
source $susrc
-set timeout 600
-send "echo \"INFO: Starting.\"; echo \"STORE: now\";$args; exit\r"
-send "exit\r"
+send_user "INFO: Starting.\n"
+set timeout 30
+send_user "\nSTORE: now\n"
+
+send "terminal length 0\r"
+send "$args\r"
+sleep 2
+send "exit\rexit\r"
expect {
timeout {
I then added something like this to ossec.conf in /var/ossec/etc:
<agentless>
<type>ssh_foundry_diff</type>
<frequency>3600</frequency>
<host>[email protected]</host>
<state>periodic_diff</state>
<arguments>sh run</arguments> <!-- show what's running -->
</agentless>
Then, after double-checking the perms on the agentless directory and
files and following the directions in the manual for enabling
agentless monitoring and adding host passwords, you could add a rule
like this:
<rule id="100413" level="8">
<if_sid>555</if_sid>
<hostname>foundry-core-01.example.com</hostname>
<description>Configuration change on foundry-core-01</description>
</rule>
One thing to note is that some older Foundry equipment may require
an enable password in order to execute "show config". For the
particular equipment I tested with this seems to work. As always,
YMMV.
--Matt
