Hi Daniel, Thanks, the segfault is gone, but:
/var/ossec/bin/syscheck_control -i 001 -f C:\\WINNT/system32/ Win32k.sys Integrity changes for agent 'xxx (001) - x.x.x.x': Detailed information for entries matching: 'C:\WINNT/system32/ Win32k.sys' 59120947 Mar 24 /A\,0 - C:\WINNT/system32/WIN32K.SYS File added to the database. Integrity checking values: Size: 1642096 Md5: bf7a89981a55f91c855b371f3d75855a Sha1: ec3f360e9eaef34ec85f7e2ed32d7a1449602977 85527476 Apr 27 /A\,0 - C:\WINNT/system32/WIN32K.SYS File changed. - 1st time modified. Integrity checking values: Size: >1644240 Md5: >d5ac9fe881e9db2a0b4d347f63b5ec2d Sha1: >74c309d367daaebcb3f8478f1fb721f71a682d0b 96104242 Nov 11 /A\,2 - C:\WINNT/system32/WIN32K.SYS File changed. - 2nd time modified. Integrity checking values: Size: >1644592 Md5: >130e6d9b7638fe5db9bfc840b840cd45 Sha1: >9cbb07a76a92aa577aecc73e4897efd8c34eabb5 # /var/ossec/bin/syscheck_control -i 001 -f C:\\WINNT/system32/ Win32k.sys -z Integrity changes for agent 'xxx (001) - x.x.x.x': Detailed information for entries matching: 'C:\WINNT/system32/ Win32k.sys' ** ERROR: fputs failed (unable to update counter). As you can see I cannot reset the file changed counter. And I noticed another strange thing, what's up with the dates in the following output from syscheck_control? Neither it is "Mar 26" which would be today, nor is it the file date which would be "Feb 08". ( http://support.microsoft.com/?scid=kb%3Ben-us%3B958690 ) Detailed information for entries matching: 'C:\WINNT/Driver Cache/i386/ Win32k.sys' 31071122 Jul 11,0 - C:\WINNT/Driver Cache/i386/win32k.sys File added to the database. Integrity checking values: Size: 1644240 Md5: d5ac9fe881e9db2a0b4d347f63b5ec2d Sha1: 74c309d367daaebcb3f8478f1fb721f71a682d0b 179285352 Apr 13,0 - C:\WINNT/Driver Cache/i386/win32k.sys File changed. - 1st time modified. Integrity checking values: Size: >1644592 Md5: >130e6d9b7638fe5db9bfc840b840cd45 Sha1: >9cbb07a76a92aa577aecc73e4897efd8c34eabb5 184788096 Jul 19,2 - C:\WINNT/Driver Cache/i386/win32k.sys File changed. - 2nd time modified. Integrity checking values: Size: >1644944 Md5: >a57ebe232cd990df2b0c4e66e60f28d7 Sha1: >d73413277536412e76e6d1c6628155ecbf2506b1 thanks, matthias On Mar 26, 4:18 pm, Daniel Cid <[email protected]> wrote: > Hi Matthias, > > Can you try the following snapshot? > > http://www.ossec.net/files/snapshots/ossec-hids-090326.tar.gz > > I believe we fixed this issue in there. > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Wed, Mar 25, 2009 at 5:22 PM, matthias platzer <[email protected]> > wrote: > > > Michael, > > > Indeed, I am running ossec on Centos 5.2 x86_64, so maybe this is > > platform(architecture) specific. I may remember having read something > > about a segfault on x86_64 on the list... but can't find the post > > right now. > > > I found the answer about my question regarding syscheck_update, that > > tool empties the syscheck database and ossec should be stopped before > > running it. (or restarted afterwards) The right tool here would be > > agent_control. (running syscheck immediatly) > > > regards, > > matthias > > > On Mar 25, 2:47 pm, Michael Caplan <[email protected]> > > wrote: > >> Matthias, > > >> I'm wondering if this is a platform specific issue. By any chance, are > >> you running on 64bit linux? I'm running 64bit CentOS 5.2. I don't have > >> this issue on a 32bit install of CentOS 5.2. > > >> Thanks, > > >> Mike > > >> On Wed, 2009-03-25 at 08:12 -0400, ddp wrote: > >> > Try "-u local" > >> > -u local Update syscheck database locally. > > >> > I'm not getting a segfault for local or remote clients. Not even > >> > clients that aren't connected. > > >> > dan > > >> > On Tue, Mar 24, 2009 at 7:09 PM, matthias platzer > >> > <[email protected]> wrote: > > >> > > hi, > > >> > > I just upgraded to 2.0... > >> > > same here, seg fault with local and agent id > >> > > ./syscheck_control -i 006 > > >> > > Integrity changes for agent 'wsus (006) - x.x.x.x': > >> > > Segmentation fault > > >> > > immediately after issuing > >> > > ./syscheck_update -u 006 > >> > > the seg fault is gone for the agent 006. > > >> > > But ./syscheck_update -u 000 > > >> > > ** Invalid agent id '000' > > >> > > How could I update for the local server 000 ? > > >> > > Anyway, from ./syscheck_control -h > >> > > "-u <id> Updates (clear) the database for the agent." > > >> > > Does this mean, clear the database and build a new one or just update > >> > > it by running syscheck. And what for is syscheck_update then? > >> > > And what would be the proper way to run syscheck on an agent (from the > >> > > server) ? > > >> > > BTW, I might have found a bug: > >> > > On a Windows 2000 Server, agent-2.0, setting syscheck.sleep_after=150 > >> > > in internal_options.conf prevents the agent from startup. > > >> > > tia+regards, > >> > > matthias > > >> Please consider the environment before printing this email. > > >> E-mail messages may contain viruses, worms, or other malicious code. By > >> reading the message and opening any attachments, the recipient accepts > >> full responsibility for taking protective action against such code. Henry > >> Schein is not liable for any loss or damage arising from this message. > > >> The information in this email is confidential and may be legally > >> privileged. It is intended solely for the addressee(s). Access to this > >> e-mail by anyone else is unauthorized.
