I came across this issue myself when configuring Cisco ASA firewalls with
OSSEC v2.8.3. I found that both the ssh_pixconfig_diff (PIX) and
ssh_asa-fwsmconfig_diff (ASA) scripts have some issues with them,
including:
• Expect statement has the wrong case used for some responses (e.g.
Password instead of password);
• SSH is set specifically to use DES only
• Output from the SSH session will include extra newlines and Connection to
[host] closed by remote host at times, triggering false positive change
alerts.
To address these issues I created a customized script. I can provide you
the whole script, but specifically to address your issue you can simply try
making one change in your own script. In your ssh_pixconfig_diff script,
locate this line:
spawn ssh -c des $hostname
Remark that line out and use this one instead:
spawn ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 $hostname
If you encounter some of the other issues, here's my entire revised script
that works for me - all the highlights are changes from the original script
(based on the ASA script, not the PIX script):
#!/usr/bin/env expect
###############################################################################
#
# PROGRAM: ssh_asa-custom_diff
# AUTHOR: Bruce A. Westbrook
# DATE: 2017-04-27
# PURPOSE: Check ASA for configuration changes
#
# DEPENDENCIES:
# expect
#
# REVISIONS:
#
# 2017-04-27 - v1.0
# - Initial release, forked from the OSSEC provided
# "ssh_asa-fwsmconfig_diff" script
#
###############################################################################
# Agentless monitoring
#
# Copyright (C) 2009 Trend Micro Inc.
# All rights reserved.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Send log entry that we're starting to run
send_user "\nINFO: Starting....\n"
if {$argc < 1} {
send_user "ERROR: ssh_asa-custom_diff <hostname> <commands>\n";
send_user "ERROR: Must be run from /var/ossec\n";
exit 1;
}
# NOTE: this script must be called from within /var/ossec for it to work.
set passlist "agentless/.passlist"
set hostname [lindex $argv 0]
set commands [lrange $argv 1 end]
set pass "x"
set addpass "x"
set timeout 20
set lastentry "queue/diff/$hostname-\>ssh_asa-custom_diff/last-entry"
if {[string compare $hostname "test"] == 0} {
if {[string compare $commands "test"] == 0} {
exit 0;
}
}
# Reading the password list.
if [catch {
set in [open "$passlist" r]
} loc_error] {
send_user "ERROR: Password list not present (use \"register_host\"
first).\n"
exit 1;
}
while {[gets $in line] != -1} {
set me [string first "|" $line]
set me2 [string last "|" $line]
set length [string length $line]
if {$me == -1} {
continue;
}
if {$me2 == -1} {
continue;
}
if {$me == $me2} {
continue;
}
set me [expr $me-1]
set me2 [expr $me2-1]
set host_list [string range $line 0 $me]
set me [expr $me+2]
set pass_list [string range $line $me $me2]
set me2 [expr $me2+2]
set addpass_list [string range $line $me2 $length]
if {[string compare $host_list $hostname] == 0} {
set pass "$pass_list"
set addpass "$addpass_list"
break
}
}
close $in
if {[string compare $pass "x"] == 0} {
send_user "ERROR: Password for '$hostname' not found.\n"
exit 1;
}
# SSHing to the box and passing the directories to check.
# Fix for SSH issue with poor DES cipher and inability to connect.
if [catch {
# spawn ssh -c des $hostname
spawn ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 $hostname
} loc_error] {
send_user "ERROR: Opening connection: $loc_error.\n"
exit 1;
}
expect {
"WARNING: REMOTE HOST" {
send_user "ERROR: RSA host key for '$hostname' has changed. Unable
to access.\n"
exit 1;
}
"*sure you want to continue connecting*" {
send "yes\r"
expect "* password:*" {
send "$pass\r"
expect {
"Permission denied" {
send_user "ERROR: Incorrect password to remote host:
$hostname .\n"
exit 1;
}
timeout {
send_user "ERROR: Timeout while running on host (too
long to finish): $hostname .\n"
exit 1;
}
"*>" {
send_user "\nINFO: Starting.\n"
}
}
}
}
"ssh: connect to host*" {
send_user "ERROR: Unable to connect to remote host: $hostname .\n"
exit 1;
}
"no address associated with name" {
send_user "ERROR: Unable to connect to remote host: $hostname .\n"
exit 1;
}
"*Connection refused*" {
send_user "ERROR: Unable to connect to remote host: $hostname .\n"
exit 1;
}
"*Connection closed by remote host*" {
send_user "ERROR: Unable to connect to remote host: $hostname .\n"
exit 1;
}
"* password:*" {
send "$pass\r"
expect {
"Permission denied" {
send_user "ERROR: Incorrect password to remote host:
$hostname .\n"
exit 1;
}
timeout {
send_user "ERROR: Timeout while running on host (too long
to finish): $hostname .\n"
exit 1;
}
"*>" {
send_user "INFO: Starting.\n"
}
}
}
timeout {
send_user "ERROR: Timeout while connecting to host: $hostname . \n"
exit 1;
}
}
# Going into enable mode.
send "enable\r"
expect {
"Password:" {
send "$addpass\r"
expect {
"*asswor*" {
send_user "ERROR: Incorrect enable password to remote host:
$hostname .\n"
exit 1;
}
"*rror in authenticatio*" {
send_user "ERROR: Incorrect enable password to remote host:
$hostname .\n"
exit 1;
}
timeout {
send_user "ERROR: Timeout while going to enable mode on
host: $hostname .\n"
exit 1;
}
"*#" {
send_user "\nok on enable pass\n"
}
}
}
timeout {
send_user "ERROR: Timeout while running enable on host: $hostname
.\n"
exit 1;
}
}
# Sending commands
set timeout 60
###########################################################
# FROM THIS POINT (THE send_user "\nSTORE: now\n" COMMAND)
# UNTIL THE EXIT, ALL OUTPUT IS SAVED.
###########################################################
# Begin storing all stdout
send_user "\nSTORE: now\n"
# Set our terminal pager to 0 so all our command output on the ASA goes by
without paging
send "term pager 0\r"
expect "*#"
# Show version info, but excluding uptime from the output since it changes
every time
send "show version | grep -v Configuration last| up\r"
expect "*#"
# Show our running configuration
send "show running-config\r"
expect "*#"
# Send any additional commands sent from our OSSEC config for this
agentless device
send "$commands\r"
###################################################################################
# BUGFIX - We'll stop storing data before we close our connection because
we keep
# getting alerts on changes due to some quirkiness with SSH on the
ASA.
# It adds an additional "Connection to..closed by remote host"
sometimes
# as well as an additional newline at times. Added the expect
"*#" to
# exit out rather than the EOF, thereby eliminating saving the
extraneous
# output that sometimes occurs and gives a false positive for
changes.
###################################################################################
expect {
"*#" {
send_user "\nINFO: Finished at #.\n"
send "exit\r"
exit 0;
}
timeout {
send_user "ERROR: Timeout while running commands on host: $hostname
.\n"
exit 1;
}
eof {
send_user "\nINFO: Finished at EOF.\n"
exit 0;
}
}
send_user "ERROR: Unable to finish properly.\n"
exit 1;
On Monday, December 18, 2017 at 10:40:33 PM UTC-5, [email protected]
wrote:
>
>
> <https://lh3.googleusercontent.com/-Zk7oShbOtHc/WjiJUM68YXI/AAAAAAAAAqk/zl8EVXKWfzcibOdIV569-VakxO44w-SFwCLcBGAs/s1600/Pasted%2BGraphic.tiff>
>
>
> hey guys, I really need u help right now . When i configure the ossec
> agentless mode, i came cross this problem which is shows
> <https://lh3.googleusercontent.com/-US62qs3J_-Y/WjiJzB_8shI/AAAAAAAAAqo/WKt0Oj15Dis3uotD58mtq12qBEn9D66aQCLcBGAs/s1600/Pasted%2BGraphic.tiff>
>
>
>
> I really have no idea why this problem came out. And it definitely affect
> my configuration to monitor cisco switch. Thank u for helping , sincerely
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
