Invalid IP Address
226 views
Skip to first unread message
lenny...@googlemail.com
Jun 18, 2014, 7:05:14 AM6/18/14
to ossec...@googlegroups.com
Hi Guys,
i have a problem with the ossec-agent on windows 7. I use the appliance 2.7.1. The connection between the host and the server works. But my problem is this (see my log):
2014/06/18 14:53:27 ossec-agent Using notify time: 600 and max time to reconnect: 1800
2014/06/18 14:53:27 ossec-execd(1350): INFO: Active response disabled. Exiting.
2014/06/18 14:53:27 ossec-agent(1410): INFO: Reading authentication keys file.
2014/06/18 14:53:27 ossec-agent: Received exit signal.
2014/06/18 14:53:27 ossec-agent: Exiting...
2014/06/18 14:53:27 ossec-agent(1237): ERROR: Invalid ip address: '192.16Ð.0.250'.
Thanks for help:)
dan (ddp)
Jun 18, 2014, 7:43:47 AM6/18/14
to ossec...@googlegroups.com
>
>
> Thanks for help:)
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
lenny...@googlemail.com
Jun 18, 2014, 8:38:18 AM6/18/14
to ossec...@googlegroups.com
Ok, here is the ossec.conf:
<!-- READ ME FIRST. If you are configuring OSSEC for the first time,
- try to use the "Manage_Agent" tool. Go to control panel->OSSEC Agent
- to execute it.
-
- First, add a server-ip entry with the real IP of your server.
- Second, and optionally, change the settings of the files you want
- to monitor. Look at our Manual and FAQ for more information.
- Third, start the Agent and enjoy.
-
- Example of server-ip:
- <client> <server-ip>1.2.3.4</server-ip> </client>
-->
<ossec_config>
<!-- One entry for each file/Event log to monitor. -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
<!-- Rootcheck - Policy monitor config -->
<rootcheck>
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
<!-- Syscheck - Integrity Checking config. -->
<syscheck>
<!-- Default frequency, every 20 hours. It doesn't need to be higher
- on most systems and one a day should be enough.
-->
<frequency>72000</frequency>
<!-- By default it is disabled. In the Install you must choose
- to enable it.
-->
<disabled>no</disabled>
<!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/win.ini</directories>
<directories check_all="yes">%WINDIR%/system.ini</directories>
<directories check_all="yes">C:\autoexec.bat</directories>
<directories check_all="yes">C:\config.sys</directories>
<directories check_all="yes">C:\boot.ini</directories>
<directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories>
<directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories>
<directories check_all="yes">%WINDIR%/System32/at.exe</directories>
<directories check_all="yes">%WINDIR%/System32/attrib.exe</directories>
<directories check_all="yes">%WINDIR%/System32/cacls.exe</directories>
<directories check_all="yes">%WINDIR%/System32/debug.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drwatson.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/edlin.exe</directories>
<directories check_all="yes">%WINDIR%/System32/eventcreate.exe</directories>
<directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories>
<directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/net.exe</directories>
<directories check_all="yes">%WINDIR%/System32/net1.exe</directories>
<directories check_all="yes">%WINDIR%/System32/netsh.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rcp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/reg.exe</directories>
<directories check_all="yes">%WINDIR%/regedit.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rexec.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rsh.exe</directories>
<directories check_all="yes">%WINDIR%/System32/runas.exe</directories>
<directories check_all="yes">%WINDIR%/System32/sc.exe</directories>
<directories check_all="yes">%WINDIR%/System32/subst.exe</directories>
<directories check_all="yes">%WINDIR%/System32/telnet.exe</directories>
<directories check_all="yes">%WINDIR%/System32/tftp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
<directories check_all="yes" realtime="yes">C:\Documents and Settings/All Users/Start Menu/Programs/Startup</directories>
<directories check_all="yes" realtime="yes">C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup</directories>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
</syscheck>
<active-response>
<disabled>yes</disabled>
</active-response>
</ossec_config>
<!-- END of Default Configuration. -->
<ossec_config>
<client>
<server-ip>192.168.0.250</server-ip>
</client>
</ossec_config>
lenny...@googlemail.com
Jun 18, 2014, 8:40:24 AM6/18/14
to ossec...@googlegroups.com
Ok, here is the ossec agent conf.
dan (ddp)
Jun 18, 2014, 8:57:40 AM6/18/14
to ossec...@googlegroups.com
issue (since the IP looks wrong in the log). I can't remember if you
can enter the server IP in the gui or not, but if you can try typing
it in again. If not, open the ossec.conf in notepad and try retyping
it.
If that fails, maybe upgrade to 2.8 (manager first, agent second).
> </client>
> </ossec_config>
>
>
>
>
>
>
> Am Mittwoch, 18. Juni 2014 13:05:14 UTC+2 schrieb lenny...@googlemail.com:
>>
>> Hi Guys,
>>
>> i have a problem with the ossec-agent on windows 7. I use the appliance
>> 2.7.1. The connection between the host and the server works. But my problem
>> is this (see my log):
>>
>>
>> 2014/06/18 14:53:27 ossec-agent Using notify time: 600 and max time to
>> reconnect: 1800
>>
>> 2014/06/18 14:53:27 ossec-execd(1350): INFO: Active response disabled.
>> Exiting.
>>
>> 2014/06/18 14:53:27 ossec-agent(1410): INFO: Reading authentication keys
>> file.
>>
>> 2014/06/18 14:53:27 ossec-agent: Received exit signal.
>>
>> 2014/06/18 14:53:27 ossec-agent: Exiting...
>>
>> 2014/06/18 14:53:27 ossec-agent(1237): ERROR: Invalid ip address:
>> '192.16Ð.0.250'.
>>
>>
>>
>> Thanks for help:)
>
John Clarke
Oct 29, 2016, 10:46:06 PM10/29/16
to ossec-list
I had the same issue and found that the IP address in the client.keys file had some weird encoding. I changed in there and it fixed the issue
Reply all
Reply to author
Forward
0 new messages