Hi Matt, Thanks for the diff. Would that still work if you remove the "terminal lenght 0" from the code and added in the configuration?
Something like: <arguments>terminal length 0; sh run</arguments> If that works, we don't need a new file, since we can merge the other changes in the original file.. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Mar 10, 2009 at 3:45 PM, Matt <[email protected]> wrote: > > On Mar 10, 8:55 am, Philipp <[email protected]> wrote: >> hi, > <snip> >> interesting! do you have a decoder/rules for foundry equipment? >> and are you willing to share ;) >> >> cheeers >> philipp > > With agentless monitoring I have been able to successfully monitor > some Foundry equipment for config changes. I did have to modify the > existing ssh_generic_diff found in /var/ossec/agentless. I copied > ssh_generic_diff to ssh_foundry_diff and made the following changes: > > --- ssh_generic_diff 2009-01-29 09:05:43.000000000 -0700 > +++ ssh_foundry_diff 2009-03-09 11:05:09.000000000 -0600 > @@ -28,9 +28,14 @@ > source $sshsrc > source $susrc > > -set timeout 600 > -send "echo \"INFO: Starting.\"; echo \"STORE: now\";$args; exit\r" > -send "exit\r" > +send_user "INFO: Starting.\n" > +set timeout 30 > +send_user "\nSTORE: now\n" > + > +send "terminal length 0\r" > +send "$args\r" > +sleep 2 > +send "exit\rexit\r" > > expect { > timeout { > > > I then added something like this to ossec.conf in /var/ossec/etc: > > <agentless> > <type>ssh_foundry_diff</type> > <frequency>3600</frequency> > <host>[email protected]</host> > <state>periodic_diff</state> > <arguments>sh run</arguments> <!-- show what's running --> > </agentless> > > Then, after double-checking the perms on the agentless directory and > files and following the directions in the manual for enabling > agentless monitoring and adding host passwords, you could add a rule > like this: > > <rule id="100413" level="8"> > <if_sid>555</if_sid> > <hostname>foundry-core-01.example.com</hostname> > <description>Configuration change on foundry-core-01</description> > </rule> > > One thing to note is that some older Foundry equipment may require > an enable password in order to execute "show config". For the > particular equipment I tested with this seems to work. As always, > YMMV. > > --Matt > > >
