Agents under DHCP

70 views
Skip to first unread message

Dave S

unread,
Dec 12, 2009, 7:00:13 PM12/12/09
to ossec-list
How does OSSEC handle agents running on systems that are assigned
dynamic addresses?
Specifically, what if a client's address changes from one day to the
next?

ddp...@gmail.com

unread,
Dec 12, 2009, 8:47:48 PM12/12/09
to ossec...@googlegroups.com
Everything should work just fine. When adding the agent make sure you specify the dhcp range as the IP address.

Sent from my Nokia phone

Jeremy Rossi

unread,
Dec 12, 2009, 10:32:32 PM12/12/09
to ossec...@googlegroups.com
This can be worked around using CIDR notation for the address of the agent. Full details can be found here: http://www.ossec.net/wiki/Know_How:DynamicIPs

-
Jeremy Rossi
e: look at the headers people
t: http://twitter.com/jrossi

Bryant, Charlie

unread,
Dec 13, 2009, 2:06:23 PM12/13/09
to ossec...@googlegroups.com
Just tried this. Cool. And of course, it raises another question.

Here's my first hit from it. It gives the source IP as a.b.c.0. How do I tell which of my (so far, two) test workstations running the agent from dhcp addresses fired the rule?

Thanks.



OSSEC HIDS Notification.
2009 Dec 13 13:32:17

Received From: (dhcp) a.b.c.0->rootcheck
Rule: 513 fired (level 9) -> "Windows malware detected."
Portion of the log(s):

Windows Malware: Anti-virus site on the hosts file. File: C:\WINDOWS\System32\Drivers\etc\HOSTS.


________________________________
winmail.dat

Bryant, Charlie

unread,
Dec 13, 2009, 2:28:01 PM12/13/09
to ossec...@googlegroups.com

Or do I even need to install the agent on dhcp workstations?  If I create the a.b.c.0/24 with manage_agents, will it monitor everyone on that subnet?


Thanks,

Charlie

Wim Remes

unread,
Dec 14, 2009, 5:10:42 AM12/14/09
to ossec...@googlegroups.com
Charlie,

you will need to install it on every workstation for them to be able
to report to the
OSSEC server.

Normally the OSSEC event includes the client name which it received
the report from.
I haven't used the client with dynamic IP addresses, so I can't
confirm the behaviour
you would expect in that environment.

Cheers,

Wim
--
Wim Remes
Security Afficionado

Dave S

unread,
Dec 14, 2009, 11:56:39 AM12/14/09
to ossec-list
It seems odd at first, but you add multiple agents to the server, each
with their own unique name but with the same CIDR network address.
OSSEC sorts them out by name just fine with the two DHCP clients I'm
testing.

Only potential hiccup there is if you have a real "road warrior" on a
laptop who roams from outside your LAN, he'll be attaching with an
address outside the normal DHCP range. Haven't tested that
case....yet.

Good luck,
Dave
Reply all
Reply to author
Forward
0 new messages