On Oct 4, 12:42 pm, "dan (ddp)" <[email protected]> wrote: > On Tue, Oct 4, 2011 at 3:17 PM, Joe S <[email protected]> wrote: > > >> IP of ANY is still not working of me on the following setup: > > >> * Clients (multiple RHEL 6.1 AMD64) using Atomic ossec-hids-client > >> * Server (RHEL 5.7 AMD64) using OSSEC tar.gz with patches from > >> mercurial. > > >> I know this is an open source project and I intend to make no demands > >> of anyone's time. I don't know if this is a bug or an undocumented > >> feature. It seems like a bug, but the last email thread I had with > >> Daniel indicated that this couldn't be a bug and that significant code > >> would have had to have been changed for this to be true. > > >> So I don't know what to do. > > > Here's what works. > > > Manually edit the client.keys file. Replace "ANY" with the IP Address > > of the host. Save file. Extract key and restart server. > > Import key on client, restart client. > > It works. > > > What is the string after the IP/any field in client.keys? What is it > > used for? Is it some kind of hash used for authentication? > > Yes, that is the key. >
So when I looked at the server code, it appears that it checks the key first, then if that fails it checks the IP, and if the IP doesn't match, it gives the 1213 error. It can't match the IP because we are using "any". Could this be a problem with how the key is created in the first place? Does the key creation rely on some library? Perhaps it's failing because my systems are not the exact same systems the RPMs where created on? These are just theories. Let me know if you want me to try anything.
