On Fri, Dec 22, 2017 at 4:55 AM, <[email protected]> wrote: > When i check /var/ossec/queue/diff/, It seems like there is not > [user@agent->script] directory. Could i know this [user@agent->script] > directory i created myself or automatically generated, and if it needs me to > generate, what exactly it is , how to i wrote [user@agent->script] directory > in right way. If it is just a format, what should i do? Thank u again and > merry Christmas >
OSSEC should handle the directory creation. Can you provide your agentless configuration? Have you tried running the configured script manually? > > On Thursday, December 21, 2017 at 11:06:29 PM UTC+8, Bruce Westbrook wrote: >> >> Assuming you have all of the other pieces for agentless monitoring already >> in place (e.g. you've registered the host/password, enabled agentless >> monitoring) and installed 'expect' on the system, changes will be tracked in >> the /var/ossec/queue/diff/[user@agent->script] directory. The last-entry >> file will contain the full configuration being checked against while the >> diff.[epoch] files contain changes found at those times. >> >> I've not monitored Cisco switches so I can't speak to whether they will >> work as-is or require some additional modifications to work with those >> devices. But looks like Dan is offering to help with that. >> >> >> On Thursday, December 21, 2017 at 12:24:57 AM UTC-5, [email protected] >> wrote: >>> >>> Hi westbrook, >>> >>> When i followed your script, there is something new shows ssh_pix >>> monitors myswitch@IP starting, which shows in attached pictures. >>> >>> >>> >>> but i am checking log in alert.json and ossec.log, which one will show >>> the monitoring result when i changed some configuration in my cicso switch. >>> >>> >>> Thank u for helping me . >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> On Tuesday, December 19, 2017 at 11:28:15 PM UTC+8, Bruce Westbrook >>> wrote: >>>> >>>> I came across this issue myself when configuring Cisco ASA firewalls >>>> with OSSEC v2.8.3. I found that both the ssh_pixconfig_diff (PIX) and >>>> ssh_asa-fwsmconfig_diff (ASA) scripts have some issues with them, >>>> including: >>>> >>>> • Expect statement has the wrong case used for some responses (e.g. >>>> Password instead of password); >>>> • SSH is set specifically to use DES only >>>> • Output from the SSH session will include extra newlines and Connection >>>> to [host] closed by remote host at times, triggering false positive change >>>> alerts. >>>> >>>> To address these issues I created a customized script. I can provide >>>> you the whole script, but specifically to address your issue you can simply >>>> try making one change in your own script. In your ssh_pixconfig_diff >>>> script, locate this line: >>>> >>>> spawn ssh -c des $hostname >>>> >>>> Remark that line out and use this one instead: >>>> >>>> spawn ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 $hostname >>>> >>>> >>>> >>>> If you encounter some of the other issues, here's my entire revised >>>> script that works for me - all the highlights are changes from the original >>>> script (based on the ASA script, not the PIX script): >>>> >>>> #!/usr/bin/env expect >>>> >>>> >>>> >>>> >>>> ############################################################################### >>>> >>>> # >>>> >>>> # PROGRAM: ssh_asa-custom_diff >>>> >>>> # AUTHOR: Bruce A. Westbrook >>>> >>>> # DATE: 2017-04-27 >>>> >>>> # PURPOSE: Check ASA for configuration changes >>>> >>>> # >>>> >>>> # DEPENDENCIES: >>>> >>>> # expect >>>> >>>> # >>>> >>>> # REVISIONS: >>>> >>>> # >>>> >>>> # 2017-04-27 - v1.0 >>>> >>>> # - Initial release, forked from the OSSEC provided >>>> >>>> # "ssh_asa-fwsmconfig_diff" script >>>> >>>> # >>>> >>>> >>>> ############################################################################### >>>> >>>> >>>> >>>> # Agentless monitoring >>>> >>>> # >>>> >>>> # Copyright (C) 2009 Trend Micro Inc. >>>> >>>> # All rights reserved. >>>> >>>> # >>>> >>>> # This program is a free software; you can redistribute it >>>> >>>> # and/or modify it under the terms of the GNU General Public >>>> >>>> # License (version 2) as published by the FSF - Free Software >>>> >>>> # Foundation. >>>> >>>> >>>> >>>> # Send log entry that we're starting to run >>>> >>>> send_user "\nINFO: Starting....\n" >>>> >>>> >>>> >>>> if {$argc < 1} { >>>> >>>> send_user "ERROR: ssh_asa-custom_diff <hostname> <commands>\n"; >>>> >>>> send_user "ERROR: Must be run from /var/ossec\n"; >>>> >>>> exit 1; >>>> >>>> } >>>> >>>> >>>> >>>> >>>> >>>> # NOTE: this script must be called from within /var/ossec for it to >>>> work. >>>> >>>> set passlist "agentless/.passlist" >>>> >>>> set hostname [lindex $argv 0] >>>> >>>> set commands [lrange $argv 1 end] >>>> >>>> set pass "x" >>>> >>>> set addpass "x" >>>> >>>> set timeout 20 >>>> >>>> >>>> >>>> set lastentry "queue/diff/$hostname-\>ssh_asa-custom_diff/last-entry" >>>> >>>> >>>> >>>> if {[string compare $hostname "test"] == 0} { >>>> >>>> if {[string compare $commands "test"] == 0} { >>>> >>>> exit 0; >>>> >>>> } >>>> >>>> } >>>> >>>> >>>> >>>> # Reading the password list. >>>> >>>> if [catch { >>>> >>>> set in [open "$passlist" r] >>>> >>>> } loc_error] { >>>> >>>> send_user "ERROR: Password list not present (use \"register_host\" >>>> first).\n" >>>> >>>> exit 1; >>>> >>>> } >>>> >>>> >>>> >>>> while {[gets $in line] != -1} { >>>> >>>> set me [string first "|" $line] >>>> >>>> set me2 [string last "|" $line] >>>> >>>> set length [string length $line] >>>> >>>> >>>> >>>> if {$me == -1} { >>>> >>>> continue; >>>> >>>> } >>>> >>>> if {$me2 == -1} { >>>> >>>> continue; >>>> >>>> } >>>> >>>> if {$me == $me2} { >>>> >>>> continue; >>>> >>>> } >>>> >>>> >>>> >>>> set me [expr $me-1] >>>> >>>> set me2 [expr $me2-1] >>>> >>>> >>>> >>>> set host_list [string range $line 0 $me] >>>> >>>> set me [expr $me+2] >>>> >>>> set pass_list [string range $line $me $me2] >>>> >>>> set me2 [expr $me2+2] >>>> >>>> set addpass_list [string range $line $me2 $length] >>>> >>>> >>>> >>>> if {[string compare $host_list $hostname] == 0} { >>>> >>>> set pass "$pass_list" >>>> >>>> set addpass "$addpass_list" >>>> >>>> break >>>> >>>> } >>>> >>>> } >>>> >>>> close $in >>>> >>>> >>>> >>>> >>>> >>>> if {[string compare $pass "x"] == 0} { >>>> >>>> send_user "ERROR: Password for '$hostname' not found.\n" >>>> >>>> exit 1; >>>> >>>> } >>>> >>>> >>>> >>>> >>>> >>>> # SSHing to the box and passing the directories to check. >>>> >>>> # Fix for SSH issue with poor DES cipher and inability to connect. >>>> >>>> if [catch { >>>> >>>> # spawn ssh -c des $hostname >>>> >>>> spawn ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 $hostname >>>> >>>> } loc_error] { >>>> >>>> send_user "ERROR: Opening connection: $loc_error.\n" >>>> >>>> exit 1; >>>> >>>> } >>>> >>>> >>>> >>>> expect { >>>> >>>> "WARNING: REMOTE HOST" { >>>> >>>> send_user "ERROR: RSA host key for '$hostname' has changed. >>>> Unable to access.\n" >>>> >>>> exit 1; >>>> >>>> } >>>> >>>> "*sure you want to continue connecting*" { >>>> >>>> send "yes\r" >>>> >>>> expect "* password:*" { >>>> >>>> send "$pass\r" >>>> >>>> >>>> >>>> expect { >>>> >>>> "Permission denied" { >>>> >>>> send_user "ERROR: Incorrect password to remote host: >>>> $hostname .\n" >>>> >>>> exit 1; >>>> >>>> } >>>> >>>> timeout { >>>> >>>> send_user "ERROR: Timeout while running on host (too >>>> long to finish): $hostname .\n" >>>> >>>> exit 1; >>>> >>>> } >>>> >>>> "*>" { >>>> >>>> send_user "\nINFO: Starting.\n" >>>> >>>> } >>>> >>>> } >>>> >>>> } >>>> >>>> } >>>> >>>> "ssh: connect to host*" { >>>> >>>> send_user "ERROR: Unable to connect to remote host: $hostname >>>> .\n" >>>> >>>> exit 1; >>>> >>>> } >>>> >>>> "no address associated with name" { >>>> >>>> send_user "ERROR: Unable to connect to remote host: $hostname >>>> .\n" >>>> >>>> exit 1; >>>> >>>> } >>>> >>>> "*Connection refused*" { >>>> >>>> send_user "ERROR: Unable to connect to remote host: $hostname >>>> .\n" >>>> >>>> exit 1; >>>> >>>> } >>>> >>>> "*Connection closed by remote host*" { >>>> >>>> send_user "ERROR: Unable to connect to remote host: $hostname >>>> .\n" >>>> >>>> exit 1; >>>> >>>> } >>>> >>>> "* password:*" { >>>> >>>> send "$pass\r" >>>> >>>> >>>> >>>> expect { >>>> >>>> "Permission denied" { >>>> >>>> send_user "ERROR: Incorrect password to remote host: >>>> $hostname .\n" >>>> >>>> exit 1; >>>> >>>> } >>>> >>>> timeout { >>>> >>>> send_user "ERROR: Timeout while running on host (too >>>> long to finish): $hostname .\n" >>>> >>>> exit 1; >>>> >>>> } >>>> >>>> "*>" { >>>> >>>> send_user "INFO: Starting.\n" >>>> >>>> } >>>> >>>> } >>>> >>>> } >>>> >>>> timeout { >>>> >>>> send_user "ERROR: Timeout while connecting to host: $hostname . >>>> \n" >>>> >>>> exit 1; >>>> >>>> } >>>> >>>> } >>>> >>>> >>>> >>>> # Going into enable mode. >>>> >>>> send "enable\r" >>>> >>>> expect { >>>> >>>> "Password:" { >>>> >>>> send "$addpass\r" >>>> >>>> >>>> >>>> expect { >>>> >>>> "*asswor*" { >>>> >>>> send_user "ERROR: Incorrect enable password to remote >>>> host: $hostname .\n" >>>> >>>> exit 1; >>>> >>>> } >>>> >>>> "*rror in authenticatio*" { >>>> >>>> send_user "ERROR: Incorrect enable password to remote >>>> host: $hostname .\n" >>>> >>>> exit 1; >>>> >>>> } >>>> >>>> timeout { >>>> >>>> send_user "ERROR: Timeout while going to enable mode on >>>> host: $hostname .\n" >>>> >>>> exit 1; >>>> >>>> } >>>> >>>> "*#" { >>>> >>>> send_user "\nok on enable pass\n" >>>> >>>> } >>>> >>>> } >>>> >>>> } >>>> >>>> timeout { >>>> >>>> send_user "ERROR: Timeout while running enable on host: >>>> $hostname .\n" >>>> >>>> exit 1; >>>> >>>> } >>>> >>>> } >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> # Sending commands >>>> >>>> set timeout 60 >>>> >>>> >>>> >>>> ########################################################### >>>> >>>> # FROM THIS POINT (THE send_user "\nSTORE: now\n" COMMAND) >>>> >>>> # UNTIL THE EXIT, ALL OUTPUT IS SAVED. >>>> >>>> ########################################################### >>>> >>>> # Begin storing all stdout >>>> >>>> send_user "\nSTORE: now\n" >>>> >>>> # Set our terminal pager to 0 so all our command output on the ASA goes >>>> by without paging >>>> >>>> send "term pager 0\r" >>>> >>>> expect "*#" >>>> >>>> # Show version info, but excluding uptime from the output since it >>>> changes every time >>>> >>>> send "show version | grep -v Configuration last| up\r" >>>> >>>> expect "*#" >>>> >>>> # Show our running configuration >>>> >>>> send "show running-config\r" >>>> >>>> expect "*#" >>>> >>>> # Send any additional commands sent from our OSSEC config for this >>>> agentless device >>>> >>>> send "$commands\r" >>>> >>>> >>>> ################################################################################### >>>> >>>> # BUGFIX - We'll stop storing data before we close our connection >>>> because we keep >>>> >>>> # getting alerts on changes due to some quirkiness with SSH on >>>> the ASA. >>>> >>>> # It adds an additional "Connection to..closed by remote host" >>>> sometimes >>>> >>>> # as well as an additional newline at times. Added the expect >>>> "*#" to >>>> >>>> # exit out rather than the EOF, thereby eliminating saving the >>>> extraneous >>>> >>>> # output that sometimes occurs and gives a false positive for >>>> changes. >>>> >>>> >>>> ################################################################################### >>>> >>>> expect { >>>> >>>> "*#" { >>>> >>>> send_user "\nINFO: Finished at #.\n" >>>> >>>> send "exit\r" >>>> >>>> exit 0; >>>> >>>> } >>>> >>>> timeout { >>>> >>>> send_user "ERROR: Timeout while running commands on host: >>>> $hostname .\n" >>>> >>>> exit 1; >>>> >>>> } >>>> >>>> eof { >>>> >>>> send_user "\nINFO: Finished at EOF.\n" >>>> >>>> exit 0; >>>> >>>> } >>>> >>>> } >>>> >>>> >>>> >>>> send_user "ERROR: Unable to finish properly.\n" >>>> >>>> exit 1; >>>> >>>> >>>> >>>> On Monday, December 18, 2017 at 10:40:33 PM UTC-5, [email protected] >>>> wrote: >>>>> >>>>> >>>>> hey guys, I really need u help right now . When i configure the ossec >>>>> agentless mode, i came cross this problem which is shows >>>>> >>>>> >>>>> >>>>> I really have no idea why this problem came out. And it definitely >>>>> affect my configuration to monitor cisco switch. Thank u for helping , >>>>> sincerely >>>>> >>>>> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
