That would be really cool, OSSEC needs SSL support, I am sure it won't be easy!
On Tuesday, February 2, 2016 at 10:51:08 PM UTC+1, Santiago Bassett wrote: > > That would be more than awesome! > > On Tue, Feb 2, 2016 at 1:27 PM, Daniel Cid <[email protected] > <javascript:>> wrote: > >> Our major limitation is the size of the UDP packet when sending from the >> agent->manager. We can't reliably split the message into multiple >> datagrams, so we restrict by size, forcing it to always fit into 1 packet. >> Moving to TCP would >> solve this limitation (this is something I am trying to work right now >> --> move to TCP+OpenSSL for the agent->manager communication). >> >> thanks, >> >> On Tue, Feb 2, 2016 at 4:24 PM, Santiago Bassett <[email protected] >> <javascript:>> wrote: >> >>> There are several email threads in this list reporting similar issues. I >>> recommend you to keep an eye on those as well. Haven't had much time to >>> look into it, but it seems there are serveral places where the message can >>> be cut off. In src/headers/defs.h you will find some constants that are use >>> to limit those sizes. >>> >>> This one seems interesting. >>> >>> src/headers/defs.h:#*define* OS_MAXSTR OS_SIZE_6144 /* Size >>> for logs, sockets, etc */ >>> >>> On Tue, Feb 2, 2016 at 12:21 PM, q < >>> [email protected] <javascript:>> wrote: >>> >>>> >>>> Santiago,thank you for idea! >>>> >>>> ;) >>>> >>>> >>>> >>>> >>>> >>>> On 02.02.2016 20:30, Santiago Bassett wrote: >>>> >>>> I think this is due to a limitation on the alert message size. I guess, >>>> you will need to look in the code and recompile if you want this to work. >>>> >>>> On Thu, Jan 28, 2016 at 3:12 PM, q < >>>> [email protected] <javascript:>> wrote: >>>> >>>>> >>>>> list,sorry for typo >>>>> >>>>> the first example is not "from ossec-alerts.log" but "from ossec.log" >>>>> >>>>> cheers. >>>>> >>>>> >>>>> On 29.01.2016 01:49, q wrote: >>>>> > Hello list! >>>>> > >>>>> > OSSEC can "cut" some data from 'full_command' output. >>>>> > >>>>> > >>>>> > >>>>> > this is from ossec-alerts.log >>>>> > >>>>> > ossec: output: 'tcp_netstat': >>>>> > Active Internet connections (only servers) >>>>> > Proto Recv-Q Send-Q Local Address Foreign >>>>> > Address State PID/Program name >>>>> > tcp 0 0 0.0.0.0:22 >>>>> > 0.0.0.0:* LISTEN 2743/sshd >>>>> > tcp 0 0 0.0.0.0:443 >>>>> > 0.0.0.0:* LISTEN 4865/nginx >>>>> > tcp 0 0 0.0.0.0:587 >>>>> > 0.0.0.0:* LISTEN 2623/rsyslogd >>>>> > tcp 0 0 0.0.0.0:80 >>>>> > 0.0.0.0:* LISTEN 12159/ossec-authd >>>>> > tcp 0 0 ::1:25 >>>>> > :::* LISTEN 2996/master >>>>> > tcp 0 0 127.0.0.1:25 >>>>> > 0.0.0.0:* LISTEN 2996/master >>>>> > tcp 0 0 127.0.0.1:27017 >>>>> > 0.0.0.0:* LISTEN 5132/mongod >>>>> > tcp 0 0 127.0.0.1:3306 >>>>> > 0.0.0.0:* LISTEN 2885/mysqld >>>>> > tcp 0 0 127.0.0.1:3333 >>>>> > 0.0.0.0:* LISTEN 8089/uwsgi >>>>> > tcp 0 0 :::587 >>>>> > :::* LISTEN 2623/r >>>>> > >>>>> > >>>>> > >>>>> > and this is from ossec-alerts.log >>>>> > >>>>> > Active Internet connections (only servers) >>>>> > Proto Recv-Q Send-Q Local Address Foreign >>>>> > Address State PID/Program name >>>>> > tcp 0 0 0.0.0.0:22 >>>>> > 0.0.0.0:* LISTEN 2743/sshd >>>>> > tcp 0 0 0.0.0.0:443 >>>>> > 0.0.0.0:* LISTEN 4865/nginx >>>>> > tcp 0 0 0.0.0.0:587 >>>>> > 0.0.0.0:* LISTEN 2623/rsyslogd >>>>> > tcp 0 0 ::1:25 >>>>> > :::* LISTEN 2996/master >>>>> > tcp 0 0 127.0.0.1:25 >>>>> > 0.0.0.0:* LISTEN 2996/master >>>>> > tcp 0 0 127.0.0.1:27017 >>>>> > 0.0.0.0:* LISTEN 5132/mongod >>>>> > tcp 0 0 127.0.0.1:3306 >>>>> > 0.0.0.0:* LISTEN 2885/mysqld >>>>> > tcp 0 0 127.0.0.1:3333 >>>>> > 0.0.0.0:* LISTEN 8089/uwsgi >>>>> > tcp 0 0 :::587 >>>>> > :::* LISTEN 2623/rsyslogd >>>>> > >>>>> > >>>>> > >>>>> > Last string from /var/ossec/logs/ossec.log >>>>> > tcp 0 0 :::587 >>>>> > :::* LISTEN 2623/rsyslogd >>>>> > >>>>> > >>>>> > and last string from /var/ossec/logs/alerts/ossec-alerts >>>>> > tcp 0 0 :::587 >>>>> > :::* LISTEN 2623/r >>>>> > >>>>> > >>>>> > >>>>> > Also,check_diff dont works properly due this issue. >>>>> > I think it's bug. >>>>> > >>>>> > >>>>> > >>>>> > My ossec is 2.8 (rpm from Atomic repo) >>>>> > >>>>> > part of my config: >>>>> > >>>>> > <localfile> >>>>> > <alias>tcp_netstat</alias> >>>>> > <log_format>full_command</log_format> >>>>> > <command>netstat -tpln |sort</command> >>>>> > </localfile> >>>>> > >>>>> > >>>>> > >>>>> > Thank you! >>>>> > >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected] <javascript:>. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected] <javascript:>. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected] <javascript:>. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected] <javascript:>. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
