Agentless not writing what changes are detected

66 views
Skip to first unread message

Gaetan Noel

unread,
Apr 6, 2015, 11:11:32 AM4/6/15
to ossec...@googlegroups.com
Hello,

We have managed to get our agentless working, the only issue I have now is the event not telling me what change has been detected. Here's a sample of that event :

Alert Level: 7; Rule: 555 - Integrity checksum for agentless device changed.; Location: (ssh_pixconfig_diff) user@ip ->agentless; ossec: agentless: Change detected:

It does that for all agentless devices, would you have an idea why ?

Thanks,
Gaetan

Gaetan Noel

unread,
Apr 8, 2015, 9:40:48 AM4/8/15
to ossec...@googlegroups.com
Anyone has an idea of where I could look ?

dan (ddp)

unread,
Apr 8, 2015, 12:38:31 PM4/8/15
to ossec...@googlegroups.com


On Apr 8, 2015 9:40 AM, "Gaetan Noel" <gae...@gmail.com> wrote:
>
> Anyone has an idea of where I could look ?
>

Does rule 555 have check_diff set?

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Brent Morris

unread,
Apr 8, 2015, 2:49:18 PM4/8/15
to ossec...@googlegroups.com
Thanks for the question.  Mine's apparently been broken for quite some time!

Are you just grepping the alerts.log or are you being alerted via email?  You look like you're posting out of the alerts.log... you might add grep -A 10 agentless alerts.log 

Here's the example I'm seeing via email now that I've fixed mine..

Also, do you really have a PIX?  If you have an ASA, the ssh_asa-fwsmconfig_diff might be the way to go.  I know the PIX script has an issue with the expect password.

OSSEC HIDS Notification.
2015 Apr 08 11:37:39
Received From: (ssh_asa-fwsmconfig_diff) us...@1.2.3.4->agentless
Rule: 555 fired (level 7) -> "Integrity checksum for agentless device changed."
Portion of the log(s):
ossec: agentless: Change detected:
56c56
< Botnet Traffic Filter             : Enabled        458 days
---
> Botnet Traffic Filter             : Enabled        457 days
375c375
< ssh timeout 59
---
> ssh timeout 51
More changes..

 --END OF NOTIFICATION

 

Gaetan Noel

unread,
Apr 8, 2015, 3:16:22 PM4/8/15
to ossec...@googlegroups.com
Thanks for your help guys.

You are right Brett, the alert.log has all the info. The issue I have is with Splunk, everything gets sent via syslog and the event is as I pasted above. For the alert.log here's what I get :

** Alert 1428518183.14013429: - syslog,sshd,recon,
--
Rule: 555 (level 7) -> 'Integrity checksum for agentless device changed.'
ossec: agentless: Change detected:
1404c1404
< ntp clock-period 22519145
---
> ntp clock-period 22519163
2806a2807
> Connection to x.x.x.x closed by remote host.

That script doesn't give me any problem , it seems to work fine. Although I should probably change something so it doesn't alert me for the NTP change. May I ask what command you are running ?

Thanks,
Gaetan

Brent Morris

unread,
Apr 8, 2015, 3:36:00 PM4/8/15
to ossec...@googlegroups.com
Yeah, I realized I'm going to get an alert every day for the botnet filter license counter too.

Which command are you referring to?

Gaetan Noel

unread,
Apr 8, 2015, 6:34:26 PM4/8/15
to ossec...@googlegroups.com
The one you are running on your switches. I m using "show config". Actually it might be easier to filter out ntp results.

Any idea why the syslog output is not showing the full changes ?
--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/oRN7sK-pYb0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

Brent Morris

unread,
Apr 8, 2015, 6:50:09 PM4/8/15
to ossec...@googlegroups.com
Oh, the script uses basic sh run and sh ver - If you want to filter out the ntp offset, you may consider changing the following in your ssh_pixconfig_diff

send "show running-config\r"

change to:

send "show running-config | grep -v ntp clock-period\r"

then test..  but I do think it ossec alert log is showing all the changes.  I would have to test with more changes to verify that.
Reply all
Reply to author
Forward
0 new messages