When i check /var/ossec/queue/diff/, It seems like there is not [user@agent->script] directory. Could i know this [user@agent->script] directory i created myself or automatically generated, and if it needs me to generate, what exactly it is , how to i wrote [user@agent->script] directory in right way. If it is just a format, what should i do? Thank u again and merry Christmas
On Thursday, December 21, 2017 at 11:06:29 PM UTC+8, Bruce Westbrook wrote: > > Assuming you have all of the other pieces for agentless monitoring already > in place (e.g. you've registered the host/password, enabled agentless > monitoring) and installed 'expect' on the system, changes will be tracked > in the /var/ossec/queue/diff/[user@agent->script] directory. The > last-entry file will contain the full configuration being checked against > while the diff.[epoch] files contain changes found at those times. > > I've not monitored Cisco switches so I can't speak to whether they will > work as-is or require some additional modifications to work with those > devices. But looks like Dan is offering to help with that. > > > On Thursday, December 21, 2017 at 12:24:57 AM UTC-5, [email protected] > wrote: >> >> Hi westbrook, >> >> When i followed your script, there is something new shows ssh_pix >> monitors myswitch@IP starting, which shows in attached pictures. >> >> >> <https://lh3.googleusercontent.com/-MuJotDdvZnA/WjtEvqImvQI/AAAAAAAAArA/3oSVZZROQaoWtK7wbEX1BrgP-p9dsf6wQCLcBGAs/s1600/1513833647217.jpg> >> >> >> >> but i am checking log in alert.json and ossec.log, which one will show >> the monitoring result when i changed some configuration in my cicso switch. >> >> >> Thank u for helping me . >> >> >> >> >> >> >> >> >> >> On Tuesday, December 19, 2017 at 11:28:15 PM UTC+8, Bruce Westbrook wrote: >>> >>> I came across this issue myself when configuring Cisco ASA firewalls >>> with OSSEC v2.8.3. I found that both the ssh_pixconfig_diff (PIX) and >>> ssh_asa-fwsmconfig_diff (ASA) scripts have some issues with them, >>> including: >>> >>> • Expect statement has the wrong case used for some responses (e.g. >>> Password instead of password); >>> • SSH is set specifically to use DES only >>> • Output from the SSH session will include extra newlines and >>> Connection to [host] closed by remote host at times, triggering false >>> positive change alerts. >>> >>> To address these issues I created a customized script. I can provide >>> you the whole script, but specifically to address your issue you can simply >>> try making one change in your own script. In your ssh_pixconfig_diff >>> script, locate this line: >>> >>> spawn ssh -c des $hostname >>> >>> Remark that line out and use this one instead: >>> >>> spawn ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 $hostname >>> >>> >>> If you encounter some of the other issues, here's my entire revised >>> script that works for me - all the highlights are changes from the original >>> script (based on the ASA script, not the PIX script): >>> >>> #!/usr/bin/env expect >>> >>> >>> >>> >>> ############################################################################### >>> >>> # >>> >>> # PROGRAM: ssh_asa-custom_diff >>> >>> # AUTHOR: Bruce A. Westbrook >>> >>> # DATE: 2017-04-27 >>> >>> # PURPOSE: Check ASA for configuration changes >>> >>> # >>> >>> # DEPENDENCIES: >>> >>> # expect >>> >>> # >>> >>> # REVISIONS: >>> >>> # >>> >>> # 2017-04-27 - v1.0 >>> >>> # - Initial release, forked from the OSSEC provided >>> >>> # "ssh_asa-fwsmconfig_diff" script >>> >>> # >>> >>> >>> ############################################################################### >>> >>> >>> >>> # Agentless monitoring >>> >>> # >>> >>> # Copyright (C) 2009 Trend Micro Inc. >>> >>> # All rights reserved. >>> >>> # >>> >>> # This program is a free software; you can redistribute it >>> >>> # and/or modify it under the terms of the GNU General Public >>> >>> # License (version 2) as published by the FSF - Free Software >>> >>> # Foundation. >>> >>> >>> >>> # Send log entry that we're starting to run >>> >>> send_user "\nINFO: Starting....\n" >>> >>> >>> >>> if {$argc < 1} { >>> >>> send_user "ERROR: ssh_asa-custom_diff <hostname> <commands>\n"; >>> >>> send_user "ERROR: Must be run from /var/ossec\n"; >>> >>> exit 1; >>> >>> } >>> >>> >>> >>> >>> >>> # NOTE: this script must be called from within /var/ossec for it to work. >>> >>> set passlist "agentless/.passlist" >>> >>> set hostname [lindex $argv 0] >>> >>> set commands [lrange $argv 1 end] >>> >>> set pass "x" >>> >>> set addpass "x" >>> >>> set timeout 20 >>> >>> >>> >>> set lastentry "queue/diff/$hostname-\>ssh_asa-custom_diff/last-entry" >>> >>> >>> >>> if {[string compare $hostname "test"] == 0} { >>> >>> if {[string compare $commands "test"] == 0} { >>> >>> exit 0; >>> >>> } >>> >>> } >>> >>> >>> >>> # Reading the password list. >>> >>> if [catch { >>> >>> set in [open "$passlist" r] >>> >>> } loc_error] { >>> >>> send_user "ERROR: Password list not present (use \"register_host\" >>> first).\n" >>> >>> exit 1; >>> >>> } >>> >>> >>> >>> while {[gets $in line] != -1} { >>> >>> set me [string first "|" $line] >>> >>> set me2 [string last "|" $line] >>> >>> set length [string length $line] >>> >>> >>> >>> if {$me == -1} { >>> >>> continue; >>> >>> } >>> >>> if {$me2 == -1} { >>> >>> continue; >>> >>> } >>> >>> if {$me == $me2} { >>> >>> continue; >>> >>> } >>> >>> >>> >>> set me [expr $me-1] >>> >>> set me2 [expr $me2-1] >>> >>> >>> >>> set host_list [string range $line 0 $me] >>> >>> set me [expr $me+2] >>> >>> set pass_list [string range $line $me $me2] >>> >>> set me2 [expr $me2+2] >>> >>> set addpass_list [string range $line $me2 $length] >>> >>> >>> >>> if {[string compare $host_list $hostname] == 0} { >>> >>> set pass "$pass_list" >>> >>> set addpass "$addpass_list" >>> >>> break >>> >>> } >>> >>> } >>> >>> close $in >>> >>> >>> >>> >>> >>> if {[string compare $pass "x"] == 0} { >>> >>> send_user "ERROR: Password for '$hostname' not found.\n" >>> >>> exit 1; >>> >>> } >>> >>> >>> >>> >>> >>> # SSHing to the box and passing the directories to check. >>> >>> # Fix for SSH issue with poor DES cipher and inability to connect. >>> >>> if [catch { >>> >>> # spawn ssh -c des $hostname >>> >>> spawn ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 $hostname >>> >>> } loc_error] { >>> >>> send_user "ERROR: Opening connection: $loc_error.\n" >>> >>> exit 1; >>> >>> } >>> >>> >>> >>> expect { >>> >>> "WARNING: REMOTE HOST" { >>> >>> send_user "ERROR: RSA host key for '$hostname' has changed. >>> Unable to access.\n" >>> >>> exit 1; >>> >>> } >>> >>> "*sure you want to continue connecting*" { >>> >>> send "yes\r" >>> >>> expect "* password:*" { >>> >>> send "$pass\r" >>> >>> >>> >>> expect { >>> >>> "Permission denied" { >>> >>> send_user "ERROR: Incorrect password to remote host: >>> $hostname .\n" >>> >>> exit 1; >>> >>> } >>> >>> timeout { >>> >>> send_user "ERROR: Timeout while running on host (too >>> long to finish): $hostname .\n" >>> >>> exit 1; >>> >>> } >>> >>> "*>" { >>> >>> send_user "\nINFO: Starting.\n" >>> >>> } >>> >>> } >>> >>> } >>> >>> } >>> >>> "ssh: connect to host*" { >>> >>> send_user "ERROR: Unable to connect to remote host: $hostname >>> .\n" >>> >>> exit 1; >>> >>> } >>> >>> "no address associated with name" { >>> >>> send_user "ERROR: Unable to connect to remote host: $hostname >>> .\n" >>> >>> exit 1; >>> >>> } >>> >>> "*Connection refused*" { >>> >>> send_user "ERROR: Unable to connect to remote host: $hostname >>> .\n" >>> >>> exit 1; >>> >>> } >>> >>> "*Connection closed by remote host*" { >>> >>> send_user "ERROR: Unable to connect to remote host: $hostname >>> .\n" >>> >>> exit 1; >>> >>> } >>> >>> "* password:*" { >>> >>> send "$pass\r" >>> >>> >>> >>> expect { >>> >>> "Permission denied" { >>> >>> send_user "ERROR: Incorrect password to remote host: >>> $hostname .\n" >>> >>> exit 1; >>> >>> } >>> >>> timeout { >>> >>> send_user "ERROR: Timeout while running on host (too >>> long to finish): $hostname .\n" >>> >>> exit 1; >>> >>> } >>> >>> "*>" { >>> >>> send_user "INFO: Starting.\n" >>> >>> } >>> >>> } >>> >>> } >>> >>> timeout { >>> >>> send_user "ERROR: Timeout while connecting to host: $hostname . >>> \n" >>> >>> exit 1; >>> >>> } >>> >>> } >>> >>> >>> >>> # Going into enable mode. >>> >>> send "enable\r" >>> >>> expect { >>> >>> "Password:" { >>> >>> send "$addpass\r" >>> >>> >>> >>> expect { >>> >>> "*asswor*" { >>> >>> send_user "ERROR: Incorrect enable password to remote >>> host: $hostname .\n" >>> >>> exit 1; >>> >>> } >>> >>> "*rror in authenticatio*" { >>> >>> send_user "ERROR: Incorrect enable password to remote >>> host: $hostname .\n" >>> >>> exit 1; >>> >>> } >>> >>> timeout { >>> >>> send_user "ERROR: Timeout while going to enable mode on >>> host: $hostname .\n" >>> >>> exit 1; >>> >>> } >>> >>> "*#" { >>> >>> send_user "\nok on enable pass\n" >>> >>> } >>> >>> } >>> >>> } >>> >>> timeout { >>> >>> send_user "ERROR: Timeout while running enable on host: >>> $hostname .\n" >>> >>> exit 1; >>> >>> } >>> >>> } >>> >>> >>> >>> >>> >>> >>> >>> # Sending commands >>> >>> set timeout 60 >>> >>> >>> >>> ########################################################### >>> >>> # FROM THIS POINT (THE send_user "\nSTORE: now\n" COMMAND) >>> >>> # UNTIL THE EXIT, ALL OUTPUT IS SAVED. >>> >>> ########################################################### >>> >>> # Begin storing all stdout >>> >>> send_user "\nSTORE: now\n" >>> >>> # Set our terminal pager to 0 so all our command output on the ASA goes >>> by without paging >>> >>> send "term pager 0\r" >>> >>> expect "*#" >>> >>> # Show version info, but excluding uptime from the output since it >>> changes every time >>> >>> send "show version | grep -v Configuration last| up\r" >>> >>> expect "*#" >>> >>> # Show our running configuration >>> >>> send "show running-config\r" >>> >>> expect "*#" >>> >>> # Send any additional commands sent from our OSSEC config for this >>> agentless device >>> >>> send "$commands\r" >>> >>> >>> ################################################################################### >>> >>> # BUGFIX - We'll stop storing data before we close our connection >>> because we keep >>> >>> # getting alerts on changes due to some quirkiness with SSH on >>> the ASA. >>> >>> # It adds an additional "Connection to..closed by remote host" >>> sometimes >>> >>> # as well as an additional newline at times. Added the expect >>> "*#" to >>> >>> # exit out rather than the EOF, thereby eliminating saving the >>> extraneous >>> >>> # output that sometimes occurs and gives a false positive for >>> changes. >>> >>> >>> ################################################################################### >>> >>> expect { >>> >>> "*#" { >>> >>> send_user "\nINFO: Finished at #.\n" >>> >>> send "exit\r" >>> >>> exit 0; >>> >>> } >>> >>> timeout { >>> >>> send_user "ERROR: Timeout while running commands on host: >>> $hostname .\n" >>> >>> exit 1; >>> >>> } >>> >>> eof { >>> >>> send_user "\nINFO: Finished at EOF.\n" >>> >>> exit 0; >>> >>> } >>> >>> } >>> >>> >>> >>> send_user "ERROR: Unable to finish properly.\n" >>> >>> exit 1; >>> >>> >>> On Monday, December 18, 2017 at 10:40:33 PM UTC-5, [email protected] >>> wrote: >>>> >>>> >>>> <https://lh3.googleusercontent.com/-Zk7oShbOtHc/WjiJUM68YXI/AAAAAAAAAqk/zl8EVXKWfzcibOdIV569-VakxO44w-SFwCLcBGAs/s1600/Pasted%2BGraphic.tiff> >>>> >>>> >>>> hey guys, I really need u help right now . When i configure the ossec >>>> agentless mode, i came cross this problem which is shows >>>> <https://lh3.googleusercontent.com/-US62qs3J_-Y/WjiJzB_8shI/AAAAAAAAAqo/WKt0Oj15Dis3uotD58mtq12qBEn9D66aQCLcBGAs/s1600/Pasted%2BGraphic.tiff> >>>> >>>> >>>> >>>> I really have no idea why this problem came out. And it definitely >>>> affect my configuration to monitor cisco switch. Thank u for helping , >>>> sincerely >>>> >>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
