Hello westbrook,
<https://lh3.googleusercontent.com/-E8F-HW0Kbmc/Wk30g41V8qI/AAAAAAAAAuk/XfMERzmOxlIh1ATXApfi50T2uqxgaL9KACLcBGAs/s1600/1515058273806.jpg> I am trying to set up ossec agentless on ASA, seems like the code is no problem. But I have question for you. When i implement configuration file, is <state>periodic_diff</state> is correct? and where i can see the change log for agentless. Like ossec agent, we normally using /var/ossec/log/alert/alert.json . How about agentless. Thank you so much. Above is two question. Happy new year!! FYI: <https://lh3.googleusercontent.com/-1zldwQzNQck/Wk31maKyPyI/AAAAAAAAAuw/Ts5kj1prp2cXlR1DBX1tp3D929rXJJmAQCLcBGAs/s1600/WX20180104-173510%25402x.png> On Tuesday, December 19, 2017 at 11:28:15 PM UTC+8, Bruce Westbrook wrote: > > I came across this issue myself when configuring Cisco ASA firewalls with > OSSEC v2.8.3. I found that both the ssh_pixconfig_diff (PIX) and > ssh_asa-fwsmconfig_diff (ASA) scripts have some issues with them, > including: > > • Expect statement has the wrong case used for some responses (e.g. > Password instead of password); > • SSH is set specifically to use DES only > • Output from the SSH session will include extra newlines and Connection > to [host] closed by remote host at times, triggering false positive change > alerts. > > To address these issues I created a customized script. I can provide you > the whole script, but specifically to address your issue you can simply try > making one change in your own script. In your ssh_pixconfig_diff script, > locate this line: > > spawn ssh -c des $hostname > > Remark that line out and use this one instead: > > spawn ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 $hostname > > > If you encounter some of the other issues, here's my entire revised script > that works for me - all the highlights are changes from the original script > (based on the ASA script, not the PIX script): > > #!/usr/bin/env expect > > > > > ############################################################################### > > # > > # PROGRAM: ssh_asa-custom_diff > > # AUTHOR: Bruce A. Westbrook > > # DATE: 2017-04-27 > > # PURPOSE: Check ASA for configuration changes > > # > > # DEPENDENCIES: > > # expect > > # > > # REVISIONS: > > # > > # 2017-04-27 - v1.0 > > # - Initial release, forked from the OSSEC provided > > # "ssh_asa-fwsmconfig_diff" script > > # > > > ############################################################################### > > > > # Agentless monitoring > > # > > # Copyright (C) 2009 Trend Micro Inc. > > # All rights reserved. > > # > > # This program is a free software; you can redistribute it > > # and/or modify it under the terms of the GNU General Public > > # License (version 2) as published by the FSF - Free Software > > # Foundation. > > > > # Send log entry that we're starting to run > > send_user "\nINFO: Starting....\n" > > > > if {$argc < 1} { > > send_user "ERROR: ssh_asa-custom_diff <hostname> <commands>\n"; > > send_user "ERROR: Must be run from /var/ossec\n"; > > exit 1; > > } > > > > > > # NOTE: this script must be called from within /var/ossec for it to work. > > set passlist "agentless/.passlist" > > set hostname [lindex $argv 0] > > set commands [lrange $argv 1 end] > > set pass "x" > > set addpass "x" > > set timeout 20 > > > > set lastentry "queue/diff/$hostname-\>ssh_asa-custom_diff/last-entry" > > > > if {[string compare $hostname "test"] == 0} { > > if {[string compare $commands "test"] == 0} { > > exit 0; > > } > > } > > > > # Reading the password list. > > if [catch { > > set in [open "$passlist" r] > > } loc_error] { > > send_user "ERROR: Password list not present (use \"register_host\" > first).\n" > > exit 1; > > } > > > > while {[gets $in line] != -1} { > > set me [string first "|" $line] > > set me2 [string last "|" $line] > > set length [string length $line] > > > > if {$me == -1} { > > continue; > > } > > if {$me2 == -1} { > > continue; > > } > > if {$me == $me2} { > > continue; > > } > > > > set me [expr $me-1] > > set me2 [expr $me2-1] > > > > set host_list [string range $line 0 $me] > > set me [expr $me+2] > > set pass_list [string range $line $me $me2] > > set me2 [expr $me2+2] > > set addpass_list [string range $line $me2 $length] > > > > if {[string compare $host_list $hostname] == 0} { > > set pass "$pass_list" > > set addpass "$addpass_list" > > break > > } > > } > > close $in > > > > > > if {[string compare $pass "x"] == 0} { > > send_user "ERROR: Password for '$hostname' not found.\n" > > exit 1; > > } > > > > > > # SSHing to the box and passing the directories to check. > > # Fix for SSH issue with poor DES cipher and inability to connect. > > if [catch { > > # spawn ssh -c des $hostname > > spawn ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 $hostname > > } loc_error] { > > send_user "ERROR: Opening connection: $loc_error.\n" > > exit 1; > > } > > > > expect { > > "WARNING: REMOTE HOST" { > > send_user "ERROR: RSA host key for '$hostname' has changed. Unable > to access.\n" > > exit 1; > > } > > "*sure you want to continue connecting*" { > > send "yes\r" > > expect "* password:*" { > > send "$pass\r" > > > > expect { > > "Permission denied" { > > send_user "ERROR: Incorrect password to remote host: > $hostname .\n" > > exit 1; > > } > > timeout { > > send_user "ERROR: Timeout while running on host (too > long to finish): $hostname .\n" > > exit 1; > > } > > "*>" { > > send_user "\nINFO: Starting.\n" > > } > > } > > } > > } > > "ssh: connect to host*" { > > send_user "ERROR: Unable to connect to remote host: $hostname .\n" > > exit 1; > > } > > "no address associated with name" { > > send_user "ERROR: Unable to connect to remote host: $hostname .\n" > > exit 1; > > } > > "*Connection refused*" { > > send_user "ERROR: Unable to connect to remote host: $hostname .\n" > > exit 1; > > } > > "*Connection closed by remote host*" { > > send_user "ERROR: Unable to connect to remote host: $hostname .\n" > > exit 1; > > } > > "* password:*" { > > send "$pass\r" > > > > expect { > > "Permission denied" { > > send_user "ERROR: Incorrect password to remote host: > $hostname .\n" > > exit 1; > > } > > timeout { > > send_user "ERROR: Timeout while running on host (too long > to finish): $hostname .\n" > > exit 1; > > } > > "*>" { > > send_user "INFO: Starting.\n" > > } > > } > > } > > timeout { > > send_user "ERROR: Timeout while connecting to host: $hostname . \n" > > exit 1; > > } > > } > > > > # Going into enable mode. > > send "enable\r" > > expect { > > "Password:" { > > send "$addpass\r" > > > > expect { > > "*asswor*" { > > send_user "ERROR: Incorrect enable password to remote > host: $hostname .\n" > > exit 1; > > } > > "*rror in authenticatio*" { > > send_user "ERROR: Incorrect enable password to remote > host: $hostname .\n" > > exit 1; > > } > > timeout { > > send_user "ERROR: Timeout while going to enable mode on > host: $hostname .\n" > > exit 1; > > } > > "*#" { > > send_user "\nok on enable pass\n" > > } > > } > > } > > timeout { > > send_user "ERROR: Timeout while running enable on host: $hostname > .\n" > > exit 1; > > } > > } > > > > > > > > # Sending commands > > set timeout 60 > > > > ########################################################### > > # FROM THIS POINT (THE send_user "\nSTORE: now\n" COMMAND) > > # UNTIL THE EXIT, ALL OUTPUT IS SAVED. > > ########################################################### > > # Begin storing all stdout > > send_user "\nSTORE: now\n" > > # Set our terminal pager to 0 so all our command output on the ASA goes by > without paging > > send "term pager 0\r" > > expect "*#" > > # Show version info, but excluding uptime from the output since it changes > every time > > send "show version | grep -v Configuration last| up\r" > > expect "*#" > > # Show our running configuration > > send "show running-config\r" > > expect "*#" > > # Send any additional commands sent from our OSSEC config for this > agentless device > > send "$commands\r" > > > ################################################################################### > > # BUGFIX - We'll stop storing data before we close our connection because > we keep > > # getting alerts on changes due to some quirkiness with SSH on > the ASA. > > # It adds an additional "Connection to..closed by remote host" > sometimes > > # as well as an additional newline at times. Added the expect > "*#" to > > # exit out rather than the EOF, thereby eliminating saving the > extraneous > > # output that sometimes occurs and gives a false positive for > changes. > > > ################################################################################### > > expect { > > "*#" { > > send_user "\nINFO: Finished at #.\n" > > send "exit\r" > > exit 0; > > } > > timeout { > > send_user "ERROR: Timeout while running commands on host: > $hostname .\n" > > exit 1; > > } > > eof { > > send_user "\nINFO: Finished at EOF.\n" > > exit 0; > > } > > } > > > > send_user "ERROR: Unable to finish properly.\n" > > exit 1; > > > On Monday, December 18, 2017 at 10:40:33 PM UTC-5, [email protected] > wrote: >> >> >> <https://lh3.googleusercontent.com/-Zk7oShbOtHc/WjiJUM68YXI/AAAAAAAAAqk/zl8EVXKWfzcibOdIV569-VakxO44w-SFwCLcBGAs/s1600/Pasted%2BGraphic.tiff> >> >> >> hey guys, I really need u help right now . When i configure the ossec >> agentless mode, i came cross this problem which is shows >> <https://lh3.googleusercontent.com/-US62qs3J_-Y/WjiJzB_8shI/AAAAAAAAAqo/WKt0Oj15Dis3uotD58mtq12qBEn9D66aQCLcBGAs/s1600/Pasted%2BGraphic.tiff> >> >> >> >> I really have no idea why this problem came out. And it definitely affect >> my configuration to monitor cisco switch. Thank u for helping , sincerely >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
