HI Pedro ,
I have already done all these things .Your and mine netstat results are
same. 1515 is in listening state and 1514 is also there. Sorry since
its(1514) a udp port so how can it be in listening mode. My bad.
udp 0 0 0.0.0.0:1514 0.0.0.0:*
27560/ossec-remoted
tcp 0 0 0.0.0.0:1515 0.0.0.0:* LISTEN
5504/ossec-authd
So we are back at where we started. Server end is fine and ossec agent is
sending logs on 1514 but 1515 although in listening state is not able to
make connection with ossec server. Is your agent-auth working fine ?
*/var/ossec/bin/agent-auth
-m x.x.x.x -p 1515*
Moreover I was interested in reading source code for agent-auth , to see if
i can find a workaround . :) .
On Tue, Oct 4, 2016 at 1:49 PM, Pedro S <[email protected]> wrote:
> Hi again,
>
> I don't really understand how it works if you don't have any OSSEC
> listening to 1514, maybe you are mistaken the hosts. On my labs if I run
>
> *netstat -tunlp*
>
>
> The output for OSSEC will be:
>
>
>> *udp 0 0 0.0.0.0:1514 <http://0.0.0.0:1514>
>> 0.0.0.0:* 14287/ossec-remoted**tcp 0
>> 0 0.0.0.0:1515 <http://0.0.0.0:1515> 0.0.0.0:*
>> LISTEN 9684/ossec-authd*
>
>
> Another tool for analysis is "traceroute", you can see how many jumps and
> how are you getting to the OSSEC manager destination.
> Debian: apt-get install traceroute
>
> *traceroute your_ossec_server*
>
>
>
> Hope it helps, I am sorry I am not being so helpful but I don't really
> know your network so.. I am not sure what could be happening there : D
>
>
> On Tuesday, October 4, 2016 at 9:25:46 AM UTC+2, Ali Khan wrote:
>
>> These are the listening ports on server
>> Proto Recv-Q Send-Q Local Address Foreign Address State
>>
>> tcp 0 0 127.0.0.1:25 0.0.0.0:*
>> LISTEN
>> tcp 0 0 0.0.0.0:443 0.0.0.0:*
>> LISTEN
>> tcp 0 0 0.0.0.0:40001 0.0.0.0:*
>> LISTEN
>> tcp 0 0 0.0.0.0:40002 0.0.0.0:*
>> LISTEN
>> tcp 0 0 0.0.0.0:514 0.0.0.0:*
>> LISTEN
>> tcp 0 0 0.0.0.0:40003 0.0.0.0:*
>> LISTEN
>> tcp 0 0 0.0.0.0:40004 0.0.0.0:*
>> LISTEN
>> tcp 0 0 0.0.0.0:25672 0.0.0.0:*
>> LISTEN
>> tcp 0 0 127.0.0.1:40009 0.0.0.0:*
>> LISTEN
>> tcp 0 0 127.0.0.1:27017 0.0.0.0:*
>> LISTEN
>> tcp 0 0 0.0.0.0:3306 0.0.0.0:*
>> LISTEN
>> tcp 0 0 0.0.0.0:40011 0.0.0.0:*
>> LISTEN
>> tcp 0 0 0.0.0.0:1515 0.0.0.0:*
>> LISTEN
>> tcp 0 0 127.0.0.1:6379 0.0.0.0:*
>> LISTEN
>> tcp 0 0 127.0.0.1:11211 0.0.0.0:*
>> LISTEN
>> tcp 0 0 0.0.0.0:6380 0.0.0.0:*
>> LISTEN
>> tcp 0 0 0.0.0.0:9390 0.0.0.0:*
>> LISTEN
>> tcp 0 0 0.0.0.0:9391 0.0.0.0:*
>> LISTEN
>> tcp 0 0 0.0.0.0:80 0.0.0.0:*
>> LISTEN
>> tcp 0 0 127.0.0.1:28017 0.0.0.0:*
>> LISTEN
>> tcp 0 0 0.0.0.0:4369 0.0.0.0:*
>> LISTEN
>> tcp 0 0 0.0.0.0:22 0.0.0.0:*
>> LISTEN
>> tcp6 0 0 :::3128 :::*
>> LISTEN
>> tcp6 0 0 :::514 :::*
>> LISTEN
>> tcp6 0 0 :::40005 :::*
>> LISTEN
>> tcp6 0 0 :::40006 :::*
>> LISTEN
>> tcp6 0 0 :::5672 :::*
>> LISTEN
>> tcp6 0 0 :::6380 :::*
>> LISTEN
>> tcp6 0 0 :::22 :::*
>> LISTEN
>>
>> Now 1515 is in listening state and is also allowed in iptables but I am
>> not able to telnet it. Moreover when I do manual agent key registration ,it
>> works perfectly. I even checked by doing some fail login attempts and those
>> login attempts were shown on AV dashboard by HIDS after I did manual key
>> registration, but when i netstat, 1514 it isnt being shown as listening
>> state. Now all these things contradict each other, and I myself dont know
>> whats happening here.Neither 1515 nor 1514 can be telnet , bufail login
>> attempts on the system for which I did manual registration is being shown
>> on the dashboard and Ossec uses 15154 for this purpose but 1514 cant be
>> telnet and isnt in listening state , and when I run nmap none of these
>> ports are open .
>>
>>
>>
>> On Mon, Oct 3, 2016 at 10:58 PM, Dodain Dodo <[email protected]> wrote:
>>
>>> The manual agent installation works perfectly and it even shows hids
>>> events /alarm for my host/PC .
>>>
>>> On Oct 3, 2016 10:51 PM, "Pedro Sanchez" <[email protected]> wrote:
>>> >
>>> > Hi,
>>> >
>>> > I think this could be a connectivity issue, ossec-authd looks
>>> listening correctly, did you try to add the agent manually and check for
>>> 1514 connectivity? I am not sure if both server are able to communicate on
>>> a different way, try to use tcpdump on server side and telnet on other.
>>> >
>>> > Server:
>>> >
>>> >> tcpdump -i eth0 port 1515 -vv
>>> >
>>> >
>>> > Agent:
>>> >
>>> >> telnet server_ip 1515
>>> >
>>> >
>>> >
>>> > Try to add it manually, if that works, we can keep going with ossec
>>> authd deployment.
>>> >
>>> >
>>> > On Mon, Oct 3, 2016 at 5:57 PM, Dodain Dodo <[email protected]>
>>> wrote:
>>> >>
>>> >> Hi Pedro,
>>> >>
>>> >> Thanks for replying. Sorry, I forgot to mention few details .
>>> Firstly I am using Alienvault USM .Secondly the ossec server is listening
>>> , so the server part is working, the prob i am getting is that agent/client
>>> isn't able to connect to the server on port 1515 and I am not able to find
>>> out why my agent isnt able to communicate with ossec server on port 1515.
>>> For that i even added port 1515 in iptables , Since agent isn't able to
>>> communicate so tcpdump on server shows 0 packets.
>>> >>
>>> >> tcp 0 0 0.0.0.0:1515 0.0.0.0:*
>>> LISTEN 5504/ossec-authd
>>> >>
>>> >>
>>> >> On Mon, Oct 3, 2016 at 1:21 PM, Pedro Sanchez <[email protected]>
>>> wrote:
>>> >>>
>>> >>> Hi Ali,
>>> >>>
>>> >>> Could you confirm that ossec-authd is running and listening on the
>>> sensor? You could use
>>> >>>>
>>> >>>>
>>> >>>> netstat -pna | grep 1515
>>> >>>
>>> >>>
>>> >>> The expected output will be similar to:
>>> >>>
>>> >>>> tcp 0 0 0.0.0.0:1515 0.0.0.0:*
>>> LISTEN 9684/ossec-authd
>>> >>>
>>> >>>
>>> >>> It seems like you have some connectivity problems, be sure that the
>>> agent can actually access to 1515 port, you could use tcpdump at OSSEC
>>> Manager to listen for incoming packets to 1515 port:
>>> >>>
>>> >>>> root@ubuntu5:/var/ossec/etc# tcpdump -i eth0 port 1515 -vv
>>> >>>> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture
>>> size 65535 bytes
>>> >>>> 01:20:11.033864 IP (tos 0x0, ttl 128, id 22397, offset 0, flags
>>> [DF], proto TCP (6), length 52)
>>> >>>> 192.168.1.30.57495 > 192.168.1.10.1515: Flags [S], cksum 0x4748
>>> (correct), seq 2326532896, win 8192, options [mss 1460,nop,wscale
>>> 8,nop,nop,sackOK], length 0
>>> >>>> 01:20:11.033931 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF],
>>> proto TCP (6), length 52)
>>> >>>> 192.168.1.10.1515 > 192.168.1.30.57495: Flags [S.], cksum
>>> 0x839f (incorrect -> 0x141f), seq 3245350808, ack 2326532897, win 29200,
>>> options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
>>> >>>> 01:20:11.034075 IP (tos 0x0, ttl 128, id 22398, offset 0, flags
>>> [DF], proto TCP (6), length 40)
>>> >>>> 192.168.1.30.57495 > 192.168.1.10.1515: Flags [.], cksum 0xbefc
>>> (correct), seq 1, ack 1, win 2053, length 0
>>> >>>> 01:20:11.035593 IP (tos 0x0, ttl 128, id 22399, offset 0, flags
>>> [DF], proto TCP (6), length 203)
>>> >>>> 192.168.1.30.57495 > 192.168.1.10.1515: Flags [P.], cksum
>>> 0xeedb (correct), seq 1:164, ack 1, win 2053, length 163
>>> >>>> 01:20:11.035668 IP (tos 0x0, ttl 64, id 37466, offset 0, flags
>>> [DF], proto TCP (6), length 40)
>>> >>>
>>> >>>
>>> >>>
>>> >>> Best regards,
>>> >>>
>>> >>> Pedro S.
>>> >>>
>>> >>> On Mon, Oct 3, 2016 at 10:03 AM, Ali Khan <[email protected]>
>>> wrote:
>>> >>>>
>>> >>>> Hi All,
>>> >>>>
>>> >>>>
>>> >>>> I am trying to use ossec agent-auth to auto agent key registration
>>> with ossec server.
>>> >>>>
>>> >>>> I did the followoing on server
>>> >>>>
>>> >>>> openssl genrsa -out /var/ossec/etc/sslmanager.key 2048
>>> >>>> openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out
>>> /var/ossec/etc/sslmanager.cert -days 365
>>> >>>> /var/ossec/bin/ossec-authd -p 1515 -i >/dev/null 2>&1 &
>>> >>>> add the following rule to /etc/ossim/firewall_include :
>>> >>>> -A INPUT –p tcp –-dport 1515 –j ACCEPT
>>> >>>> Run ossim-reconfig and then again started
>>> /var/ossec/bin/ossec-authd -p 1515 -i >/dev/null 2>&1 & and the process
>>> starts.
>>> >>>>
>>> >>>>
>>> >>>> However when i run ./agent-auth -m 192.168.10.246 -p 1515 on
>>> agent i get the following error :
>>> >>>>
>>> >>>>
>>> >>>> 2016/10/03 12:34:58 ossec-authd: INFO: Started (pid: 9656).
>>> >>>> 2016/10/03 12:34:58 ossec-authd: Unable to connect to
>>> 192.168.10.246:1515
>>> >>>>
>>> >>>> Any kind of help would be appreciated.
>>> >>>>
>>> >>>> Looking forward to your reply .
>>> >>>>
>>> >>>> --
>>> >>>>
>>> >>>> ---
>>> >>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> >>>> To unsubscribe from this group and stop receiving emails from it,
>>> send an email to [email protected].
>>> >>>> For more options, visit https://groups.google.com/d/optout.
>>> >>>
>>> >>>
>>> >>> --
>>> >>>
>>> >>> ---
>>> >>> You received this message because you are subscribed to a topic in
>>> the Google Groups "ossec-list" group.
>>> >>> To unsubscribe from this topic, visit https://groups.google.com/d/to
>>> pic/ossec-list/2Nhb2FDqLBU/unsubscribe.
>>> >>> To unsubscribe from this group and all its topics, send an email to
>>> [email protected].
>>> >>> For more options, visit https://groups.google.com/d/optout.
>>> >>
>>> >>
>>> >> --
>>> >>
>>> >> ---
>>> >> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> >> To unsubscribe from this group and stop receiving emails from it,
>>> send an email to [email protected].
>>> >> For more options, visit https://groups.google.com/d/optout.
>>> >
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to a topic in the
>>> Google Groups "ossec-list" group.
>>> > To unsubscribe from this topic, visit https://groups.google.com/d/to
>>> pic/ossec
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/ossec-list/2Nhb2FDqLBU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
