Menu
▾
▴
Re: AW: [Os-sim-support] it's getting better, but
|
From: DK <dk...@os...> - 2004-06-14 09:14:14
|
Hi Markus, answers inline. Am 13.06.2004 um 19:57 schrieb Markus Matiaschek: > Ok, as i said - it's getting better: > > I added Hosts Networks and Sensors by now, OpenNMS and the most other=20= > stuff > is working. > after executing http://server5/acidlab/acid_update_db.php ACID has=20 > data :) i > don't know why /opt/ossim/scripts/acid_cache.pl didn't work for me but > perhaps i will find out during the next install of os-sim ;) The version included within 0.9.4 includes hardcoded values for path,=20 user & password I think. Edit the script and look at the top, adjusting=20= those to your environment. (Fixed in 0.9.5). > nessus correlation is working and everything looks better now > > here are the (i hope) small problems i still have :/ > > > First i don't know how to add an agent, it is connecting to the os-sim > server (40001) and the rrd_plugin.pl directly to the database (3306, i > needed ossim_conf.pm for inclusion and the=20 > /etc/ossim/framework/ossim.conf > file from the server for it to run) but it doesn't listen on any port. The agent itself doesn't listen on any port. The port section within=20 policy->sensor is for compatibility reasons. In the future we want to=20 make both ends able to initiate the connection and that would be the=20 listen port for the agent. > tcp 0 0 firewall:1472 server5:40001 ESTABLISHED 26199/python2.3 > tcp 0 0 firewall:1473 server5:3306 ESTABLISHED 26199/python2.3 > > Over Policy -> Sensors interface i inserted 3 sensors until now: > > 127.0.0.1 > firewall and > fileserver where i can see the following links when clicking on remote=20= > edit: > snort =B7 spade =B7 ntop =B7 ossim > but i get an error opening the /tmp/XXX.conf file when i click on it.=20= > I put > the public key generated with the www-data (the user apache runs with)=20= > user > in the authorized_hosts file of a unprivileged user i created on the > fileserver. I can access the fileserver without a passwort with the=20 > command > su www-data -c "ssh 192.168.0.100" > and have at least read access to the config files but Policy ->=20 > Sensors -> > Remote edit doesn't work. Yep, that's the conclusion. Remote has never worked 100% and since=20 around 0.5 we didn't work on it so it should work at all as of today.=20 We removed the link in 0.9.5 until we get the time to work on it. > > A question regarding agents and server: is it usefull to configure the > opennms and ntop instances on the agent if they are not locally on the=20= > agent > but are the same which are already running and registered on the=20 > server? No, it isn't neccesary / useful. > Another problem is that the agent on the firewall doesn't seem to=20 > start the > iptables plugin... i can't see any error except for "plugin disabled"=20= > and i > also can't test if it really doesn't work because i think the agents=20= > are not > yet integrated. > > firewall:~ # /usr/share/ossim/agent/agent -v > (->) Agent: Waiting for server... > (<-) Agent: Server connected > > (=3D>) Agent: Apending plugins... > (--) MonitorWatchdog: monitor started > (--) ParserIptables: plugin started (syslog)... > (--) ParserRRD: plugin started (syslog)... > (**) ParserIptables: plugin disabled > (--) ParserArpwatch: plugin started (syslog)... > (=3D>) Agent: plugin-stop plugin_id=3D"1503" > > the configuration for the iptables plugin > > <!-- iptables detector --> > <plugin id=3D"1503" process=3D"iptables" type=3D"detector" start=3D"no"=20= > enable=3D"no"> > <startup></startup> > <shutdown></shutdown> > <source>syslog</source> > <interface>eth0</interface> > <sensor>127.0.0.1</sensor> > <location>/var/log/firewall</location> > </plugin> Iptables should work fine. You'll have to adjust the location & enable=20= values. Start makes no sense since the agent only checks processes=20 matching the name of "process" and iptables is no process. But you can=20= get the logs into acid & correlation this way. > > Control Panel -> Metrics doesn't look very good, broken graph and the=20= > Global > Score for Hosts and Networks are empty > reports -> security report is empty except for Top 10 Risk Metrics > > The broken graph comes from the rrdtool still not working, i have no=20= > clue > why, so the draw_graph_combined.pl doesn't create a graph but the=20 > previously > mentioned error instead and there are no RRD anomalies... Both errors you mention seem to have to do with your rrdtool version.=20 Maybe you should erase all the installed rrd versions and install a=20 development rpm. Your output shows that your rrdtool seems to be quite=20= old. > > launch-mrtg wrote me a mail that /usr/bin/rateup can't read the=20 > logfiles, i > think because they don't exist on my system... i got arpwatch to run=20= > with > "touch /var/log/arp.dat", should i do the same thing with the=20 > logfiles? if i > should, where should they be? The touch is only needed for the arp.dat. All the others are generated=20= on-the-fly by it's own programs. > Rateup WARNING: /usr/bin/rateup could not read the primary log file = for > 192.168.0.160 > > I'm a little bit under time pressure at the moment (but really took=20 > myself > some time to write this mail), if someone could write me a quick=20 > answer it > would help me very much. > In the case my e-mails are not understandable, please also write me,=20= > i'm > looking forward to every mail i get :) Sorry for the late reply, didn't have mail access during the whole=20 weekend. > Thank you > > Markus Matiaschek Greetings, Dominique > > > > > -----Urspr=FCngliche Nachricht----- > Von: os-...@li... > [mailto:os-...@li...]Im Auftrag von=20 > Markus > Matiaschek > Gesendet: Freitag, 11. Juni 2004 15:30 > An: os-...@li... > Betreff: [Os-sim-support] it's getting better, but > > > Hi, > > i'm afraid i need your help again for i encountered some problems i=20 > can't > get rid of: > > One thing is that the rrdtool just doesn't work :/ launch-mrtg starts=20= > with > no errors but > > server5:~# /usr/bin/perl /opt/ossim/scripts/rrd_plugin.pl > /opt/ossim/scripts/rrd_plugin.pl: forking into background... > > gives me a lot of that output: > > ERROR: unknown option 'X' > ERROR: unknown consolidation function 'FAILURES' > > > also the draw_graph_combined.pl.png on the main page only has the=20 > following > error output in it: > ERROR while generating graffic: unknown option '--font' > > the following error was produced by a problem that i could solve for=20= > myself, > just for informational purposes: > it seemed like www/control_panel/handle_anomaly.php was version 1.5 in=20= > my > installation but the RRD_data.inc had already gone to Attic, i=20 > commented the > require_once line out (it's deleted in 1.6) and now it looks good > > Warning: main(classes/RRD_data.inc): failed to open stream: No such=20 > file or > directory in /opt/ossim/www/control_panel/handle_anomaly.php on line = 16 > > Fatal error: main(): Failed opening required 'classes/RRD_data.inc' > (include_path=3D'.:/php/includes:/opt/ossim/include') in > /opt/ossim/www/control_panel/handle_anomaly.php on line 16 > > > > A good news is that the nessus correlation starts to work now, but = then > again ACID shows no data :/ the acid_conf.php contains the right=20 > database > information... > > Currently i'm working at the OpenNMS configuration (installation was=20= > finally > successfull ;)) but i'm new to the PostgreSQL database and about to=20 > find out > if and how i should execute the create_pgsql.sql script in=20 > /opt/ossim/db/. > i just installed opennms and have to read more documentation, at the=20= > moment > i don't even know what the user for the console is. What i have to > reconfigure for sure is the link to opennms because its to > server5:8080/opennms/ but my instance ob opennms runs on port 8180 > > what also is giving me some problems at the moment are the iptables=20 > and rrd > agent at the firewall, it seems like i have to transfer some=20 > executables and > librarys from the server (debian) to the agents (fileserver on which i=20= > will > install snort later and the firewall - both SuSE 9.0... i had to=20 > update the > firewall from suse 8.2 to 9.0 because the agent needed a 2.3 python=20 > version > and suse sucks ;)) i hope that will work, if anyone has anymore=20 > helpfull > documentation on agents that would be great. > > Thank you for your help, > > Markus Matiaschek > > > > ------------------------------------------------------- > This SF.Net email is sponsored by the new InstallShield X. >> =46rom Windows to Linux, servers to mobile, InstallShield X is the > one installation-authoring solution that does it all. Learn more and > evaluate today! http://www.installshield.com/Dev2Dev/0504 > _______________________________________________ > Os-sim-support mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-support > > > > ------------------------------------------------------- > This SF.Net email is sponsored by the new InstallShield X. >> =46rom Windows to Linux, servers to mobile, InstallShield X is the > one installation-authoring solution that does it all. Learn more and > evaluate today! http://www.installshield.com/Dev2Dev/0504 > _______________________________________________ > Os-sim-support mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-support > |
