ERROR: Invalid ID for the source ip: 'x.x.x.x'

[Sinisha Erceg]

Hello,

 

I apologize in advance for lack of understanding and I’ve attempted to look through the forums but I have inherited OSSEC from a predecessor and I have limited *nix experience.  I’ve managed to fix some items but some are still very bewildering.

 

I’ll start with the error:  ERROR: Invalid ID for the source ip: 'x.x.x.x' and the IP addresses they list are nowhere in our agent listing.  I’m having issues even trying to discover the host that this error is indicating but there are a whole bunch of these for IP addresses that we have not installed OSSEC on.

 

Where can I start to look?  Again, without going into this too much more, I have attempted to search the forums and can find information generally on this error if the IP is valid but I’m stumped on the fact that it’s giving me this error knowing that those IPs have never been added to the server.

 

Any assistance would be greatly appreciated.

 

Sinisha Erceg IT Security Analyst

 

[Eero Volotinen]

Hi,

Agent key contains ip address of agent, if ANY is not used instead of ip address.

check the documentation about agents: http://ossec-docs.readthedocs.org/en/latest/manual/agent/agent-management.html

--

Eero 

[Sinisha Erceg]

Thanks Eero for your quick reply.  I am aware of this and we only use either a direct IP address or a subnet range.  Would this still occur using a subnet?  We explicitly do not use ANY.  I may have tested this on a box a while back but it’s nothing that is currently being used for any of our monitored hosts.

[Eero Volotinen]

Is source address incorrect? Ipsec connections, firewalls with nat rules can cause this kind of issues.

Try dumping ossec traffic from manager and check that ip source is correct?

Eero

7.4.2015 11.36 ip. "Sinisha Erceg" <SEr...@windmobile.ca> kirjoitti:

Thanks Eero for your quick reply.  I am aware of this and we only use either a direct IP address or a subnet range.  Would this still occur using a subnet?  We explicitly do not use ANY.  I may have tested this on a box a while back but it’s nothing that is currently being used for any of our monitored hosts.

 

 

Sinisha Erceg IT Security Analyst

 

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Sinisha Erceg]

This is the confusing thing Eero...as I mentioned...the IPs that it's listing in the error message do not have any agents on them.  I've searched  on the servers that are identified and verified no agents exists.  I've checked clientkeys and I don't see anything listed.  Very confused.

I apologize if I'm not providing more detail then you require but if there is something specific you need to verify or validate I'm happy to do so.

--

Sinisha Erceg IT Security Analyst

WIND Mobile 207 Queen's Quay West, Suite 710 Toronto, ON M5J 1A7 Email: SEr...@WINDMobile.ca Direct: 416-915-3089