Hi Daniel,
A quick test on the equipment in question indicates that it won't
accept multiple commands in one statement.
While we're talking Foundry equipment, some other equipment I've
tested requires an enable password, similar to the PIX. I've copied
ssh_pixconfig_diff to ssh_foundry_enable_diff and made the following
changes:
--- ssh_pixconfig_diff 2009-01-29 09:05:43.000000000 -0700
+++ ssh_foundry_enable_diff 2009-03-10 13:49:40.000000000 -0600
@@ -81,7 +81,7 @@
# SSHing to the box and passing the directories to check.
if [catch {
- spawn ssh -c des $hostname
+ spawn ssh $hostname
} loc_error] {
send_user "ERROR: Opening connection: $loc_error.\n"
exit 1;
@@ -162,7 +162,7 @@
send_user "ERROR: Incorrect enable password to remote
host: $hostname .\n"
exit 1;
}
- "*rror in authenticatio*" {
+ "*rror - incorrect password*" {
send_user "ERROR: Incorrect enable password to remote
host: $hostname .\n"
exit 1;
}
@@ -186,15 +186,13 @@
set timeout 60
send_user "\nSTORE: now\n"
-send "no pager\r"
-send "term len 0\r"
-send "terminal pager 0\r"
+send "skip-page-display\r"
# Excluding uptime from the output
-send "show version | grep -v Configuration last| up\r"
-send "show running-config\r"
+# send "show running-config\r"
send "$commands\r"
-send "exit\r"
+sleep 15
+send "exit\rexit\r"
expect {
timeout {
And then created a rule to match:
<agentless>
<type>ssh_foundry_enable_diff</type>
<frequency>7200</frequency>
<host>[email protected]</host>
<state>periodic_diff</state>
<arguments>sh run</arguments> <!-- show what's running -->
</agentless>
Again, this works for me but as always, YMMV.
--Matt
On Mar 25, 12:34 pm, Daniel Cid <[email protected]> wrote:
> Hi Matt,
>
> Thanks for the diff. Would that still work if you remove the "terminal
> lenght 0" from the code
> and added in the configuration?
>
> Something like:
>
> <arguments>terminal length 0; sh run</arguments>
>
> If that works, we don't need a new file, since we can merge the other
> changes in the original file..
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On Tue, Mar 10, 2009 at 3:45 PM, Matt <[email protected]> wrote:
>
> > On Mar 10, 8:55 am, Philipp <[email protected]> wrote:
> >> hi,
> > <snip>
> >> interesting! do you have a decoder/rules for foundry equipment?
> >> and are you willing to share ;)
>
> >> cheeers
> >> philipp
>
> > With agentless monitoring I have been able to successfully monitor
> > some Foundry equipment for config changes. I did have to modify the
> > existing ssh_generic_diff found in /var/ossec/agentless. I copied
> > ssh_generic_diff to ssh_foundry_diff and made the following changes:
>
> > --- ssh_generic_diff 2009-01-29 09:05:43.000000000 -0700
> > +++ ssh_foundry_diff 2009-03-09 11:05:09.000000000 -0600
> > @@ -28,9 +28,14 @@
> > source $sshsrc
> > source $susrc
>
> > -set timeout 600
> > -send "echo \"INFO: Starting.\"; echo \"STORE: now\";$args; exit\r"
> > -send "exit\r"
> > +send_user "INFO: Starting.\n"
> > +set timeout 30
> > +send_user "\nSTORE: now\n"
> > +
> > +send "terminal length 0\r"
> > +send "$args\r"
> > +sleep 2
> > +send "exit\rexit\r"
>
> > expect {
> > timeout {
>
> > I then added something like this to ossec.conf in /var/ossec/etc:
>
> > <agentless>
> > <type>ssh_foundry_diff</type>
> > <frequency>3600</frequency>
> > <host>[email protected]</host>
> > <state>periodic_diff</state>
> > <arguments>sh run</arguments> <!-- show what's running -->
> > </agentless>
>
> > Then, after double-checking the perms on the agentless directory and
> > files and following the directions in the manual for enabling
> > agentless monitoring and adding host passwords, you could add a rule
> > like this:
>
> > <rule id="100413" level="8">
> > <if_sid>555</if_sid>
> > <hostname>foundry-core-01.example.com</hostname>
> > <description>Configuration change on foundry-core-01</description>
> > </rule>
>
> > One thing to note is that some older Foundry equipment may require
> > an enable password in order to execute "show config". For the
> > particular equipment I tested with this seems to work. As always,
> > YMMV.
>
> > --Matt
