Hi again, I don't really understand how it works if you don't have any OSSEC listening to 1514, maybe you are mistaken the hosts. On my labs if I run
*netstat -tunlp* The output for OSSEC will be: > *udp 0 0 0.0.0.0:1514 0.0.0.0:* > 14287/ossec-remoted**tcp 0 0 0.0.0.0:1515 > 0.0.0.0:* LISTEN 9684/ossec-authd* Another tool for analysis is "traceroute", you can see how many jumps and how are you getting to the OSSEC manager destination. Debian: apt-get install traceroute *traceroute your_ossec_server* Hope it helps, I am sorry I am not being so helpful but I don't really know your network so.. I am not sure what could be happening there : D On Tuesday, October 4, 2016 at 9:25:46 AM UTC+2, Ali Khan wrote: > > These are the listening ports on server > Proto Recv-Q Send-Q Local Address Foreign Address State > > tcp 0 0 127.0.0.1:25 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:443 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:40001 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:40002 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:514 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:40003 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:40004 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:25672 0.0.0.0:* > LISTEN > tcp 0 0 127.0.0.1:40009 0.0.0.0:* > LISTEN > tcp 0 0 127.0.0.1:27017 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:3306 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:40011 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:1515 0.0.0.0:* > LISTEN > tcp 0 0 127.0.0.1:6379 0.0.0.0:* > LISTEN > tcp 0 0 127.0.0.1:11211 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:6380 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:9390 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:9391 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:80 0.0.0.0:* > LISTEN > tcp 0 0 127.0.0.1:28017 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:4369 0.0.0.0:* > LISTEN > tcp 0 0 0.0.0.0:22 0.0.0.0:* > LISTEN > tcp6 0 0 :::3128 :::* LISTEN > > tcp6 0 0 :::514 :::* LISTEN > > tcp6 0 0 :::40005 :::* LISTEN > > tcp6 0 0 :::40006 :::* LISTEN > > tcp6 0 0 :::5672 :::* LISTEN > > tcp6 0 0 :::6380 :::* LISTEN > > tcp6 0 0 :::22 :::* LISTEN > > Now 1515 is in listening state and is also allowed in iptables but I am > not able to telnet it. Moreover when I do manual agent key registration ,it > works perfectly. I even checked by doing some fail login attempts and those > login attempts were shown on AV dashboard by HIDS after I did manual key > registration, but when i netstat, 1514 it isnt being shown as listening > state. Now all these things contradict each other, and I myself dont know > whats happening here.Neither 1515 nor 1514 can be telnet , bufail login > attempts on the system for which I did manual registration is being shown > on the dashboard and Ossec uses 15154 for this purpose but 1514 cant be > telnet and isnt in listening state , and when I run nmap none of these > ports are open . > > > > On Mon, Oct 3, 2016 at 10:58 PM, Dodain Dodo <[email protected] > <javascript:>> wrote: > >> The manual agent installation works perfectly and it even shows hids >> events /alarm for my host/PC . >> >> On Oct 3, 2016 10:51 PM, "Pedro Sanchez" <[email protected] <javascript:>> >> wrote: >> > >> > Hi, >> > >> > I think this could be a connectivity issue, ossec-authd looks listening >> correctly, did you try to add the agent manually and check for 1514 >> connectivity? I am not sure if both server are able to communicate on a >> different way, try to use tcpdump on server side and telnet on other. >> > >> > Server: >> > >> >> tcpdump -i eth0 port 1515 -vv >> > >> > >> > Agent: >> > >> >> telnet server_ip 1515 >> > >> > >> > >> > Try to add it manually, if that works, we can keep going with ossec >> authd deployment. >> > >> > >> > On Mon, Oct 3, 2016 at 5:57 PM, Dodain Dodo <[email protected] >> <javascript:>> wrote: >> >> >> >> Hi Pedro, >> >> >> >> Thanks for replying. Sorry, I forgot to mention few details . Firstly >> I am using Alienvault USM .Secondly the ossec server is listening , so the >> server part is working, the prob i am getting is that agent/client isn't >> able to connect to the server on port 1515 and I am not able to find out >> why my agent isnt able to communicate with ossec server on port 1515. For >> that i even added port 1515 in iptables , Since agent isn't able to >> communicate so tcpdump on server shows 0 packets. >> >> >> >> tcp 0 0 0.0.0.0:1515 0.0.0.0:* >> LISTEN 5504/ossec-authd >> >> >> >> >> >> On Mon, Oct 3, 2016 at 1:21 PM, Pedro Sanchez <[email protected] >> <javascript:>> wrote: >> >>> >> >>> Hi Ali, >> >>> >> >>> Could you confirm that ossec-authd is running and listening on the >> sensor? You could use >> >>>> >> >>>> >> >>>> netstat -pna | grep 1515 >> >>> >> >>> >> >>> The expected output will be similar to: >> >>> >> >>>> tcp 0 0 0.0.0.0:1515 0.0.0.0:* >> LISTEN 9684/ossec-authd >> >>> >> >>> >> >>> It seems like you have some connectivity problems, be sure that the >> agent can actually access to 1515 port, you could use tcpdump at OSSEC >> Manager to listen for incoming packets to 1515 port: >> >>> >> >>>> root@ubuntu5:/var/ossec/etc# tcpdump -i eth0 port 1515 -vv >> >>>> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture >> size 65535 bytes >> >>>> 01:20:11.033864 IP (tos 0x0, ttl 128, id 22397, offset 0, flags >> [DF], proto TCP (6), length 52) >> >>>> 192.168.1.30.57495 > 192.168.1.10.1515: Flags [S], cksum 0x4748 >> (correct), seq 2326532896, win 8192, options [mss 1460,nop,wscale >> 8,nop,nop,sackOK], length 0 >> >>>> 01:20:11.033931 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], >> proto TCP (6), length 52) >> >>>> 192.168.1.10.1515 > 192.168.1.30.57495: Flags [S.], cksum 0x839f >> (incorrect -> 0x141f), seq 3245350808, ack 2326532897, win 29200, options >> [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 >> >>>> 01:20:11.034075 IP (tos 0x0, ttl 128, id 22398, offset 0, flags >> [DF], proto TCP (6), length 40) >> >>>> 192.168.1.30.57495 > 192.168.1.10.1515: Flags [.], cksum 0xbefc >> (correct), seq 1, ack 1, win 2053, length 0 >> >>>> 01:20:11.035593 IP (tos 0x0, ttl 128, id 22399, offset 0, flags >> [DF], proto TCP (6), length 203) >> >>>> 192.168.1.30.57495 > 192.168.1.10.1515: Flags [P.], cksum 0xeedb >> (correct), seq 1:164, ack 1, win 2053, length 163 >> >>>> 01:20:11.035668 IP (tos 0x0, ttl 64, id 37466, offset 0, flags [DF], >> proto TCP (6), length 40) >> >>> >> >>> >> >>> >> >>> Best regards, >> >>> >> >>> Pedro S. >> >>> >> >>> On Mon, Oct 3, 2016 at 10:03 AM, Ali Khan <[email protected] >> <javascript:>> wrote: >> >>>> >> >>>> Hi All, >> >>>> >> >>>> >> >>>> I am trying to use ossec agent-auth to auto agent key registration >> with ossec server. >> >>>> >> >>>> I did the followoing on server >> >>>> >> >>>> openssl genrsa -out /var/ossec/etc/sslmanager.key 2048 >> >>>> openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out >> /var/ossec/etc/sslmanager.cert -days 365 >> >>>> /var/ossec/bin/ossec-authd -p 1515 -i >/dev/null 2>&1 & >> >>>> add the following rule to /etc/ossim/firewall_include : >> >>>> -A INPUT –p tcp –-dport 1515 –j ACCEPT >> >>>> Run ossim-reconfig and then again started >> /var/ossec/bin/ossec-authd -p 1515 -i >/dev/null 2>&1 & and the process >> starts. >> >>>> >> >>>> >> >>>> However when i run ./agent-auth -m 192.168.10.246 -p 1515 on >> agent i get the following error : >> >>>> >> >>>> >> >>>> 2016/10/03 12:34:58 ossec-authd: INFO: Started (pid: 9656). >> >>>> 2016/10/03 12:34:58 ossec-authd: Unable to connect to >> 192.168.10.246:1515 >> >>>> >> >>>> Any kind of help would be appreciated. >> >>>> >> >>>> Looking forward to your reply . >> >>>> >> >>>> -- >> >>>> >> >>>> --- >> >>>> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> >>>> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected] <javascript:>. >> >>>> For more options, visit https://groups.google.com/d/optout. >> >>> >> >>> >> >>> -- >> >>> >> >>> --- >> >>> You received this message because you are subscribed to a topic in >> the Google Groups "ossec-list" group. >> >>> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/2Nhb2FDqLBU/unsubscribe. >> >>> To unsubscribe from this group and all its topics, send an email to >> [email protected] <javascript:>. >> >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected] <javascript:>. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> > To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
