Wow, that was fast! Awesome, this is a huge help. Thank you.
On Wednesday, February 3, 2016 at 12:24:49 PM UTC-8, Santiago Bassett wrote: > > Hi Graeme, > > Victor implemented this yesterday in our fork: > https://github.com/wazuh/ossec-wazuh/commit/b277f0b159a0145d7501d446c429db19a50f922a > > It actually shows the wrong ID in the message (the one the agent is trying > to use): > > 2016/02/03 19:27:52 ossec-remoted(1408): ERROR: Invalid ID 1036 for the > source ip: XX.XX.XX.XX' > > I think he is working on a pull request. > > Best > > On Tue, Feb 2, 2016 at 10:19 AM, Graeme Stewart <[email protected] > <javascript:>> wrote: > >> Hi Santiago, >> >> Upon looking at the source, I'm not actually sure this is really a >> feasible ask. >> >> Looks like the client sends a hash of it's ID and key to the manager and >> the manager then compares that to a table of ID/key hashes. So the actual >> client ID is never sent in the message in a way that would permit the >> manager to enumerate the true ID. >> >> 114 >> <http://fossies.org/dox/ossec-hids-2.8.3/hash__op_8c.html#a59af72e305e0463ff084ce2bb41e5565> >> int _os_genhash >> <http://fossies.org/dox/ossec-hids-2.8.3/hash__op_8c.html#a59af72e305e0463ff084ce2bb41e5565> >> (OSHash <http://fossies.org/dox/ossec-hids-2.8.3/struct__OSHash.html> * >> self, char *key) >> 115 { >> 116 unsigned int hash_key = self->initial_seed; >> 117 >> 118 /* What we have here is a simple polynomial hash. >> 119 * x0 * a^k-1 .. xk * a^k-k +1 >> 120 */ >> 121 while(*key) >> 122 { >> 123 hash_key *= self->constant; >> 124 hash_key += *key; >> 125 key++; >> 126 } >> 127 >> 128 return(hash_key); >> 129 } >> >> I might ask that the actual manager / ID failing hash be included in the >> error (or debug) log, that way we could "out of band" (not within OSSEC >> itself) attempt to identify client keys using an externalized key >> management process. >> >> Thanks for replying. >> >> Graeme >> >> On Tuesday, February 2, 2016 at 9:40:22 AM UTC-8, Santiago Bassett wrote: >>> >>> Hi Graeme, >>> >>> this is the message you refer to right? >>> >>> src/error_messages/error_messages.h:#define ENC_IP_ERROR "%s(1408): >>> ERROR: *Invalid ID* for the source ip: '%s'." >>> >>> Feel free to open issues in github for these type of requests. Just >>> opened one for this one. >>> >>> Best regards >>> >>> On Fri, Jan 29, 2016 at 9:26 AM, Graeme Stewart <[email protected]> >>> wrote: >>> >>>> Would it really be difficult to actually show the error remote host ID >>>> in the ossec.log? This would make identifying key mismatch so much easier. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
