Re: [ossec-list] two interfaces

Wed, 14 Mar 2012 06:16:27 -0700


They fixed it with the route

Thank you!
____________________________________________
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI  53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * [email protected]

This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.


From: Richard Worwood <[email protected]>
To: [email protected]
Date: 03/08/2012 01:21 PM
Subject: Re: [ossec-list] two interfaces
Sent by: [email protected]




As I thought it's your routing. because your default gateway is set on eth1 the source address for the packet will be the ip on eth1 not eth0.

Cheers

Richard
On 8 March 2012 07:51, Michael Barrett <[email protected]> wrote:

It the one on eth0   xxx.122.188.10
____________________________________________
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI  53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * [email protected]

This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.
From: Richard Worwood <[email protected]>
To: [email protected]
Date: 03/06/2012 11:31 AM
Subject: Re: [ossec-list] two interfaces
Sent by: [email protected]



Michael,
What is the ip address you have setup for this agent on the ossec server?

Thanks

Richard


On 6 March 2012 09:12, Michael Barrett <[email protected]> wrote:

-bash-3.2# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:50:56:9E:74:AA
          inet addr:xxx.122.188.10  Bcast:xxx.144.188.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fe9e:74aa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6178827 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4160605 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1077461901 (1.0 GiB)  TX bytes:1184506761 (1.1 GiB)
          Interrupt:59 Base address:0x2000

eth1      Link encap:Ethernet  HWaddr 00:50:56:9E:46:81
          inet addr:xxx.22.190.10  Bcast:xxx.22.190.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fe9e:4681/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:436063 errors:0 dropped:0 overruns:0 frame:0
          TX packets:235094 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:279010171 (266.0 MiB)  TX bytes:254848908 (243.0 MiB)
          Interrupt:67 Base address:0x2040

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:253 errors:0 dropped:0 overruns:0 frame:0
          TX packets:253 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:59380 (57.9 KiB)  TX bytes:59380 (57.9 KiB)

-bash-3.2# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
xxx.22.190.0    0.0.0.0         255.255.255.0   U         0 0          0 eth1
xxx.144.188.0   0.0.0.0         255.255.255.0   U         0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth1
0.0.0.0         xxx.22.190.254        0.0.0.0         UG        0 0          0 eth1


-bash-3.2# tracert ossec.server
traceroute to ossec.server (xxx.xxx.190.48), 30 hops max, 40 byte packets
 1  router          (xxx.144.190.245) 0.364 ms  0.426 ms  0.463 ms
 2  ossec.server (xxx.144.190.48)  0.155 ms  0.139 ms  0.133 ms
____________________________________________
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI  53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * [email protected]

This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.
From: Richard Worwood <[email protected]>
To: [email protected]
Date: 03/06/2012 08:05 AM
Subject: Re: [ossec-list] two interfaces
Sent by: [email protected]



I would say this is a unix routing issue where the systems own routing table is telling the machine to use the other interface as it is "closer".

Michael, 

It would be very useful if you could supply the list with some sort of network addressing schema for your system along with a copy of the routing table.

Would suggest the following as a minimum.
  • ifconfig
  • netstat -nr
  • traceroute to ossec server 


Thanks

Richard


On 6 March 2012 06:39, Michael Barrett <[email protected]> wrote:

I'm not sure.  The unix team doesn't seem to think so....

Can I assign two keys?  I tried putting 2 in the client.keys but that didn't seem to work.  Maybe I did it wrong?
____________________________________________
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI  53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * [email protected]

This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.
From: "dan (ddp)" <[email protected]>
To: [email protected]
Date: 03/06/2012 05:55 AM
Subject: Re: [ossec-list] two interfaces
Sent by: [email protected]




I may be way off base here, but shouldn't the system's routing take
care of this?

On Mon, Mar 5, 2012 at 1:29 PM, Michael Barrett
<[email protected]> wrote:
>
> I have a RH 5 box with two interfaces on different subnets
>
> The interface that the key is on works fine but the other interface is
> trying to connect to the ossec server and I get a reject error
>
> Is there any way to configure the agent to use only one interface?
> ____________________________________________
> Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty
> Insurance Corporation
> 270 E. Kilbourn Ave. | Milwaukee, WI  53202 USA | ( 1.414.347.6271 | 7
> 1.888.601.4440 | * [email protected]
>
> This message is intended for use only by the person(s) addressed above and
> may contain privileged and confidential information. Disclosure or use of
> this message by any other person is strictly prohibited. If this message is
> received in error, please notify the sender immediately and delete this
> message.


Reply via email to