Hi Graeme, Victor implemented this yesterday in our fork: https://github.com/wazuh/ossec-wazuh/commit/b277f0b159a0145d7501d446c429db19a50f922a
It actually shows the wrong ID in the message (the one the agent is trying to use): 2016/02/03 19:27:52 ossec-remoted(1408): ERROR: Invalid ID 1036 for the source ip: XX.XX.XX.XX' I think he is working on a pull request. Best On Tue, Feb 2, 2016 at 10:19 AM, Graeme Stewart <[email protected]> wrote: > Hi Santiago, > > Upon looking at the source, I'm not actually sure this is really a > feasible ask. > > Looks like the client sends a hash of it's ID and key to the manager and > the manager then compares that to a table of ID/key hashes. So the actual > client ID is never sent in the message in a way that would permit the > manager to enumerate the true ID. > > 114 > <http://fossies.org/dox/ossec-hids-2.8.3/hash__op_8c.html#a59af72e305e0463ff084ce2bb41e5565> > int _os_genhash > <http://fossies.org/dox/ossec-hids-2.8.3/hash__op_8c.html#a59af72e305e0463ff084ce2bb41e5565> > (OSHash <http://fossies.org/dox/ossec-hids-2.8.3/struct__OSHash.html> * > self, char *key) > 115 { > 116 unsigned int hash_key = self->initial_seed; > 117 > 118 /* What we have here is a simple polynomial hash. > 119 * x0 * a^k-1 .. xk * a^k-k +1 > 120 */ > 121 while(*key) > 122 { > 123 hash_key *= self->constant; > 124 hash_key += *key; > 125 key++; > 126 } > 127 > 128 return(hash_key); > 129 } > > I might ask that the actual manager / ID failing hash be included in the > error (or debug) log, that way we could "out of band" (not within OSSEC > itself) attempt to identify client keys using an externalized key > management process. > > Thanks for replying. > > Graeme > > On Tuesday, February 2, 2016 at 9:40:22 AM UTC-8, Santiago Bassett wrote: >> >> Hi Graeme, >> >> this is the message you refer to right? >> >> src/error_messages/error_messages.h:#define ENC_IP_ERROR "%s(1408): >> ERROR: *Invalid ID* for the source ip: '%s'." >> >> Feel free to open issues in github for these type of requests. Just >> opened one for this one. >> >> Best regards >> >> On Fri, Jan 29, 2016 at 9:26 AM, Graeme Stewart <[email protected]> >> wrote: >> >>> Would it really be difficult to actually show the error remote host ID >>> in the ossec.log? This would make identifying key mismatch so much easier. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
