Thank u for helping , may i know what is "pull request" and how do i submit it. Thank u so much and merry Chrismas
On Thursday, December 21, 2017 at 8:54:48 PM UTC+8, dan (ddpbsd) wrote: > > If you're interested, please submit a pull request. I don't have > access to many of these devices, so keeping them working (getting them > working?) is difficult. > > On Tue, Dec 19, 2017 at 10:28 AM, Bruce Westbrook <[email protected] > <javascript:>> wrote: > > I came across this issue myself when configuring Cisco ASA firewalls > with > > OSSEC v2.8.3. I found that both the ssh_pixconfig_diff (PIX) and > > ssh_asa-fwsmconfig_diff (ASA) scripts have some issues with them, > > including: > > > > • Expect statement has the wrong case used for some responses (e.g. > Password > > instead of password); > > • SSH is set specifically to use DES only > > • Output from the SSH session will include extra newlines and Connection > to > > [host] closed by remote host at times, triggering false positive change > > alerts. > > > > To address these issues I created a customized script. I can provide > you > > the whole script, but specifically to address your issue you can simply > try > > making one change in your own script. In your ssh_pixconfig_diff > script, > > locate this line: > > > > spawn ssh -c des $hostname > > > > Remark that line out and use this one instead: > > > > spawn ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 $hostname > > > > > > > > If you encounter some of the other issues, here's my entire revised > script > > that works for me - all the highlights are changes from the original > script > > (based on the ASA script, not the PIX script): > > > > #!/usr/bin/env expect > > > > > > > > > ############################################################################### > > > > > > # > > > > # PROGRAM: ssh_asa-custom_diff > > > > # AUTHOR: Bruce A. Westbrook > > > > # DATE: 2017-04-27 > > > > # PURPOSE: Check ASA for configuration changes > > > > # > > > > # DEPENDENCIES: > > > > # expect > > > > # > > > > # REVISIONS: > > > > # > > > > # 2017-04-27 - v1.0 > > > > # - Initial release, forked from the OSSEC provided > > > > # "ssh_asa-fwsmconfig_diff" script > > > > # > > > > > ############################################################################### > > > > > > > > > > # Agentless monitoring > > > > # > > > > # Copyright (C) 2009 Trend Micro Inc. > > > > # All rights reserved. > > > > # > > > > # This program is a free software; you can redistribute it > > > > # and/or modify it under the terms of the GNU General Public > > > > # License (version 2) as published by the FSF - Free Software > > > > # Foundation. > > > > > > > > # Send log entry that we're starting to run > > > > send_user "\nINFO: Starting....\n" > > > > > > > > if {$argc < 1} { > > > > send_user "ERROR: ssh_asa-custom_diff <hostname> <commands>\n"; > > > > send_user "ERROR: Must be run from /var/ossec\n"; > > > > exit 1; > > > > } > > > > > > > > > > > > # NOTE: this script must be called from within /var/ossec for it to > work. > > > > set passlist "agentless/.passlist" > > > > set hostname [lindex $argv 0] > > > > set commands [lrange $argv 1 end] > > > > set pass "x" > > > > set addpass "x" > > > > set timeout 20 > > > > > > > > set lastentry "queue/diff/$hostname-\>ssh_asa-custom_diff/last-entry" > > > > > > > > if {[string compare $hostname "test"] == 0} { > > > > if {[string compare $commands "test"] == 0} { > > > > exit 0; > > > > } > > > > } > > > > > > > > # Reading the password list. > > > > if [catch { > > > > set in [open "$passlist" r] > > > > } loc_error] { > > > > send_user "ERROR: Password list not present (use \"register_host\" > > first).\n" > > > > exit 1; > > > > } > > > > > > > > while {[gets $in line] != -1} { > > > > set me [string first "|" $line] > > > > set me2 [string last "|" $line] > > > > set length [string length $line] > > > > > > > > if {$me == -1} { > > > > continue; > > > > } > > > > if {$me2 == -1} { > > > > continue; > > > > } > > > > if {$me == $me2} { > > > > continue; > > > > } > > > > > > > > set me [expr $me-1] > > > > set me2 [expr $me2-1] > > > > > > > > set host_list [string range $line 0 $me] > > > > set me [expr $me+2] > > > > set pass_list [string range $line $me $me2] > > > > set me2 [expr $me2+2] > > > > set addpass_list [string range $line $me2 $length] > > > > > > > > if {[string compare $host_list $hostname] == 0} { > > > > set pass "$pass_list" > > > > set addpass "$addpass_list" > > > > break > > > > } > > > > } > > > > close $in > > > > > > > > > > > > if {[string compare $pass "x"] == 0} { > > > > send_user "ERROR: Password for '$hostname' not found.\n" > > > > exit 1; > > > > } > > > > > > > > > > > > # SSHing to the box and passing the directories to check. > > > > # Fix for SSH issue with poor DES cipher and inability to connect. > > > > if [catch { > > > > # spawn ssh -c des $hostname > > > > spawn ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 $hostname > > > > } loc_error] { > > > > send_user "ERROR: Opening connection: $loc_error.\n" > > > > exit 1; > > > > } > > > > > > > > expect { > > > > "WARNING: REMOTE HOST" { > > > > send_user "ERROR: RSA host key for '$hostname' has changed. > Unable > > to access.\n" > > > > exit 1; > > > > } > > > > "*sure you want to continue connecting*" { > > > > send "yes\r" > > > > expect "* password:*" { > > > > send "$pass\r" > > > > > > > > expect { > > > > "Permission denied" { > > > > send_user "ERROR: Incorrect password to remote host: > > $hostname .\n" > > > > exit 1; > > > > } > > > > timeout { > > > > send_user "ERROR: Timeout while running on host (too > > long to finish): $hostname .\n" > > > > exit 1; > > > > } > > > > "*>" { > > > > send_user "\nINFO: Starting.\n" > > > > } > > > > } > > > > } > > > > } > > > > "ssh: connect to host*" { > > > > send_user "ERROR: Unable to connect to remote host: $hostname > .\n" > > > > exit 1; > > > > } > > > > "no address associated with name" { > > > > send_user "ERROR: Unable to connect to remote host: $hostname > .\n" > > > > exit 1; > > > > } > > > > "*Connection refused*" { > > > > send_user "ERROR: Unable to connect to remote host: $hostname > .\n" > > > > exit 1; > > > > } > > > > "*Connection closed by remote host*" { > > > > send_user "ERROR: Unable to connect to remote host: $hostname > .\n" > > > > exit 1; > > > > } > > > > "* password:*" { > > > > send "$pass\r" > > > > > > > > expect { > > > > "Permission denied" { > > > > send_user "ERROR: Incorrect password to remote host: > > $hostname .\n" > > > > exit 1; > > > > } > > > > timeout { > > > > send_user "ERROR: Timeout while running on host (too > long to > > finish): $hostname .\n" > > > > exit 1; > > > > } > > > > "*>" { > > > > send_user "INFO: Starting.\n" > > > > } > > > > } > > > > } > > > > timeout { > > > > send_user "ERROR: Timeout while connecting to host: $hostname . > \n" > > > > exit 1; > > > > } > > > > } > > > > > > > > # Going into enable mode. > > > > send "enable\r" > > > > expect { > > > > "Password:" { > > > > send "$addpass\r" > > > > > > > > expect { > > > > "*asswor*" { > > > > send_user "ERROR: Incorrect enable password to remote > host: > > $hostname .\n" > > > > exit 1; > > > > } > > > > "*rror in authenticatio*" { > > > > send_user "ERROR: Incorrect enable password to remote > host: > > $hostname .\n" > > > > exit 1; > > > > } > > > > timeout { > > > > send_user "ERROR: Timeout while going to enable mode on > > host: $hostname .\n" > > > > exit 1; > > > > } > > > > "*#" { > > > > send_user "\nok on enable pass\n" > > > > } > > > > } > > > > } > > > > timeout { > > > > send_user "ERROR: Timeout while running enable on host: > $hostname > > .\n" > > > > exit 1; > > > > } > > > > } > > > > > > > > > > > > > > > > # Sending commands > > > > set timeout 60 > > > > > > > > ########################################################### > > > > # FROM THIS POINT (THE send_user "\nSTORE: now\n" COMMAND) > > > > # UNTIL THE EXIT, ALL OUTPUT IS SAVED. > > > > ########################################################### > > > > # Begin storing all stdout > > > > send_user "\nSTORE: now\n" > > > > # Set our terminal pager to 0 so all our command output on the ASA goes > by > > without paging > > > > send "term pager 0\r" > > > > expect "*#" > > > > # Show version info, but excluding uptime from the output since it > changes > > every time > > > > send "show version | grep -v Configuration last| up\r" > > > > expect "*#" > > > > # Show our running configuration > > > > send "show running-config\r" > > > > expect "*#" > > > > # Send any additional commands sent from our OSSEC config for this > agentless > > device > > > > send "$commands\r" > > > > > ################################################################################### > > > > > > # BUGFIX - We'll stop storing data before we close our connection > because we > > keep > > > > # getting alerts on changes due to some quirkiness with SSH on > the > > ASA. > > > > # It adds an additional "Connection to..closed by remote host" > > sometimes > > > > # as well as an additional newline at times. Added the expect > "*#" > > to > > > > # exit out rather than the EOF, thereby eliminating saving the > > extraneous > > > > # output that sometimes occurs and gives a false positive for > > changes. > > > > > ################################################################################### > > > > > > expect { > > > > "*#" { > > > > send_user "\nINFO: Finished at #.\n" > > > > send "exit\r" > > > > exit 0; > > > > } > > > > timeout { > > > > send_user "ERROR: Timeout while running commands on host: > $hostname > > .\n" > > > > exit 1; > > > > } > > > > eof { > > > > send_user "\nINFO: Finished at EOF.\n" > > > > exit 0; > > > > } > > > > } > > > > > > > > send_user "ERROR: Unable to finish properly.\n" > > > > exit 1; > > > > > > > > On Monday, December 18, 2017 at 10:40:33 PM UTC-5, [email protected] > > wrote: > >> > >> > >> hey guys, I really need u help right now . When i configure the ossec > >> agentless mode, i came cross this problem which is shows > >> > >> > >> > >> I really have no idea why this problem came out. And it definitely > affect > >> my configuration to monitor cisco switch. Thank u for helping , > sincerely > >> > >> > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
