Hi westbrook,
Thank you for sharing entire script with my about ASA. The question is , i
was trying to monitor switch configuration status, so, do u have any idea
about PIX script modification , so i can learn from you and find out how to
use pix to monitor switch configuration file. thanks
best regards,
kaiwen
On Tuesday, December 19, 2017 at 11:28:15 PM UTC+8, Bruce Westbrook wrote:
>
> I came across this issue myself when configuring Cisco ASA firewalls with
> OSSEC v2.8.3. I found that both the ssh_pixconfig_diff (PIX) and
> ssh_asa-fwsmconfig_diff (ASA) scripts have some issues with them,
> including:
>
> • Expect statement has the wrong case used for some responses (e.g.
> Password instead of password);
> • SSH is set specifically to use DES only
> • Output from the SSH session will include extra newlines and Connection
> to [host] closed by remote host at times, triggering false positive change
> alerts.
>
> To address these issues I created a customized script. I can provide you
> the whole script, but specifically to address your issue you can simply try
> making one change in your own script. In your ssh_pixconfig_diff script,
> locate this line:
>
> spawn ssh -c des $hostname
>
> Remark that line out and use this one instead:
>
> spawn ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 $hostname
>
>
> If you encounter some of the other issues, here's my entire revised script
> that works for me - all the highlights are changes from the original script
> (based on the ASA script, not the PIX script):
>
> #!/usr/bin/env expect
>
>
>
>
> ###############################################################################
>
> #
>
> # PROGRAM: ssh_asa-custom_diff
>
> # AUTHOR: Bruce A. Westbrook
>
> # DATE: 2017-04-27
>
> # PURPOSE: Check ASA for configuration changes
>
> #
>
> # DEPENDENCIES:
>
> # expect
>
> #
>
> # REVISIONS:
>
> #
>
> # 2017-04-27 - v1.0
>
> # - Initial release, forked from the OSSEC provided
>
> # "ssh_asa-fwsmconfig_diff" script
>
> #
>
>
> ###############################################################################
>
>
>
> # Agentless monitoring
>
> #
>
> # Copyright (C) 2009 Trend Micro Inc.
>
> # All rights reserved.
>
> #
>
> # This program is a free software; you can redistribute it
>
> # and/or modify it under the terms of the GNU General Public
>
> # License (version 2) as published by the FSF - Free Software
>
> # Foundation.
>
>
>
> # Send log entry that we're starting to run
>
> send_user "\nINFO: Starting....\n"
>
>
>
> if {$argc < 1} {
>
> send_user "ERROR: ssh_asa-custom_diff <hostname> <commands>\n";
>
> send_user "ERROR: Must be run from /var/ossec\n";
>
> exit 1;
>
> }
>
>
>
>
>
> # NOTE: this script must be called from within /var/ossec for it to work.
>
> set passlist "agentless/.passlist"
>
> set hostname [lindex $argv 0]
>
> set commands [lrange $argv 1 end]
>
> set pass "x"
>
> set addpass "x"
>
> set timeout 20
>
>
>
> set lastentry "queue/diff/$hostname-\>ssh_asa-custom_diff/last-entry"
>
>
>
> if {[string compare $hostname "test"] == 0} {
>
> if {[string compare $commands "test"] == 0} {
>
> exit 0;
>
> }
>
> }
>
>
>
> # Reading the password list.
>
> if [catch {
>
> set in [open "$passlist" r]
>
> } loc_error] {
>
> send_user "ERROR: Password list not present (use \"register_host\"
> first).\n"
>
> exit 1;
>
> }
>
>
>
> while {[gets $in line] != -1} {
>
> set me [string first "|" $line]
>
> set me2 [string last "|" $line]
>
> set length [string length $line]
>
>
>
> if {$me == -1} {
>
> continue;
>
> }
>
> if {$me2 == -1} {
>
> continue;
>
> }
>
> if {$me == $me2} {
>
> continue;
>
> }
>
>
>
> set me [expr $me-1]
>
> set me2 [expr $me2-1]
>
>
>
> set host_list [string range $line 0 $me]
>
> set me [expr $me+2]
>
> set pass_list [string range $line $me $me2]
>
> set me2 [expr $me2+2]
>
> set addpass_list [string range $line $me2 $length]
>
>
>
> if {[string compare $host_list $hostname] == 0} {
>
> set pass "$pass_list"
>
> set addpass "$addpass_list"
>
> break
>
> }
>
> }
>
> close $in
>
>
>
>
>
> if {[string compare $pass "x"] == 0} {
>
> send_user "ERROR: Password for '$hostname' not found.\n"
>
> exit 1;
>
> }
>
>
>
>
>
> # SSHing to the box and passing the directories to check.
>
> # Fix for SSH issue with poor DES cipher and inability to connect.
>
> if [catch {
>
> # spawn ssh -c des $hostname
>
> spawn ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 $hostname
>
> } loc_error] {
>
> send_user "ERROR: Opening connection: $loc_error.\n"
>
> exit 1;
>
> }
>
>
>
> expect {
>
> "WARNING: REMOTE HOST" {
>
> send_user "ERROR: RSA host key for '$hostname' has changed. Unable
> to access.\n"
>
> exit 1;
>
> }
>
> "*sure you want to continue connecting*" {
>
> send "yes\r"
>
> expect "* password:*" {
>
> send "$pass\r"
>
>
>
> expect {
>
> "Permission denied" {
>
> send_user "ERROR: Incorrect password to remote host:
> $hostname .\n"
>
> exit 1;
>
> }
>
> timeout {
>
> send_user "ERROR: Timeout while running on host (too
> long to finish): $hostname .\n"
>
> exit 1;
>
> }
>
> "*>" {
>
> send_user "\nINFO: Starting.\n"
>
> }
>
> }
>
> }
>
> }
>
> "ssh: connect to host*" {
>
> send_user "ERROR: Unable to connect to remote host: $hostname .\n"
>
> exit 1;
>
> }
>
> "no address associated with name" {
>
> send_user "ERROR: Unable to connect to remote host: $hostname .\n"
>
> exit 1;
>
> }
>
> "*Connection refused*" {
>
> send_user "ERROR: Unable to connect to remote host: $hostname .\n"
>
> exit 1;
>
> }
>
> "*Connection closed by remote host*" {
>
> send_user "ERROR: Unable to connect to remote host: $hostname .\n"
>
> exit 1;
>
> }
>
> "* password:*" {
>
> send "$pass\r"
>
>
>
> expect {
>
> "Permission denied" {
>
> send_user "ERROR: Incorrect password to remote host:
> $hostname .\n"
>
> exit 1;
>
> }
>
> timeout {
>
> send_user "ERROR: Timeout while running on host (too long
> to finish): $hostname .\n"
>
> exit 1;
>
> }
>
> "*>" {
>
> send_user "INFO: Starting.\n"
>
> }
>
> }
>
> }
>
> timeout {
>
> send_user "ERROR: Timeout while connecting to host: $hostname . \n"
>
> exit 1;
>
> }
>
> }
>
>
>
> # Going into enable mode.
>
> send "enable\r"
>
> expect {
>
> "Password:" {
>
> send "$addpass\r"
>
>
>
> expect {
>
> "*asswor*" {
>
> send_user "ERROR: Incorrect enable password to remote
> host: $hostname .\n"
>
> exit 1;
>
> }
>
> "*rror in authenticatio*" {
>
> send_user "ERROR: Incorrect enable password to remote
> host: $hostname .\n"
>
> exit 1;
>
> }
>
> timeout {
>
> send_user "ERROR: Timeout while going to enable mode on
> host: $hostname .\n"
>
> exit 1;
>
> }
>
> "*#" {
>
> send_user "\nok on enable pass\n"
>
> }
>
> }
>
> }
>
> timeout {
>
> send_user "ERROR: Timeout while running enable on host: $hostname
> .\n"
>
> exit 1;
>
> }
>
> }
>
>
>
>
>
>
>
> # Sending commands
>
> set timeout 60
>
>
>
> ###########################################################
>
> # FROM THIS POINT (THE send_user "\nSTORE: now\n" COMMAND)
>
> # UNTIL THE EXIT, ALL OUTPUT IS SAVED.
>
> ###########################################################
>
> # Begin storing all stdout
>
> send_user "\nSTORE: now\n"
>
> # Set our terminal pager to 0 so all our command output on the ASA goes by
> without paging
>
> send "term pager 0\r"
>
> expect "*#"
>
> # Show version info, but excluding uptime from the output since it changes
> every time
>
> send "show version | grep -v Configuration last| up\r"
>
> expect "*#"
>
> # Show our running configuration
>
> send "show running-config\r"
>
> expect "*#"
>
> # Send any additional commands sent from our OSSEC config for this
> agentless device
>
> send "$commands\r"
>
>
> ###################################################################################
>
> # BUGFIX - We'll stop storing data before we close our connection because
> we keep
>
> # getting alerts on changes due to some quirkiness with SSH on
> the ASA.
>
> # It adds an additional "Connection to..closed by remote host"
> sometimes
>
> # as well as an additional newline at times. Added the expect
> "*#" to
>
> # exit out rather than the EOF, thereby eliminating saving the
> extraneous
>
> # output that sometimes occurs and gives a false positive for
> changes.
>
>
> ###################################################################################
>
> expect {
>
> "*#" {
>
> send_user "\nINFO: Finished at #.\n"
>
> send "exit\r"
>
> exit 0;
>
> }
>
> timeout {
>
> send_user "ERROR: Timeout while running commands on host:
> $hostname .\n"
>
> exit 1;
>
> }
>
> eof {
>
> send_user "\nINFO: Finished at EOF.\n"
>
> exit 0;
>
> }
>
> }
>
>
>
> send_user "ERROR: Unable to finish properly.\n"
>
> exit 1;
>
>
> On Monday, December 18, 2017 at 10:40:33 PM UTC-5, [email protected]
> wrote:
>>
>>
>> <https://lh3.googleusercontent.com/-Zk7oShbOtHc/WjiJUM68YXI/AAAAAAAAAqk/zl8EVXKWfzcibOdIV569-VakxO44w-SFwCLcBGAs/s1600/Pasted%2BGraphic.tiff>
>>
>>
>> hey guys, I really need u help right now . When i configure the ossec
>> agentless mode, i came cross this problem which is shows
>> <https://lh3.googleusercontent.com/-US62qs3J_-Y/WjiJzB_8shI/AAAAAAAAAqo/WKt0Oj15Dis3uotD58mtq12qBEn9D66aQCLcBGAs/s1600/Pasted%2BGraphic.tiff>
>>
>>
>>
>> I really have no idea why this problem came out. And it definitely affect
>> my configuration to monitor cisco switch. Thank u for helping , sincerely
>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
