Menu
▾
▴
[Os-sim-support] ossec. dynamic ip
|
From: Сеньков Н. В. <n.s...@ze...> - 2018-11-20 09:50:11
|
On basic, It was been used the doc on site https://ossec-docs.readthedocs.io/en/latest/manual/agent/agent-dhcp-nat.html Problem in next: After change dhcp ip on 0.0.0.0 the status ossec agents is changed on "is not active" #/var/ossec/bin/list_agents -n |grep senkov-pc senkov-pc-172.20.75.104 is not active. Another command is display #/var/ossec/bin/agent_control -l |grep 0.0 | grep "Never connected"|grep senkov-pc ID: 051, Name: senkov-pc, IP: 0.0.0.0/0, Never connected In WebUI I see the status HIDS agents - Disconnected, however the agent is starting and in log on workstation 2018/11/20 12:19:07 INFO: Connected to 172.20.75.90 at address 172.20.75.90:1514, port 1514 2018/11/20 12:19:28 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '172.20.75.90'. Here, 172.20.75.90 is ip ossec server The ossec agents on the workstations I installed throoth auto_sec script, whitch I downloaded from the site: github.com/BinaryDefense/auto-ossec After agent installation I made follow: 1. On ossec server 1.1. In WebUI I wrote 0.0.0.0 for the asset that match my workstation (senkov-pc) 1.2. In the file /var/ossec/etc/client.keys I changed dinamic IP address on 0.0.0.0/24 051 senkov-pc 0.0.0.0/0 xxxxxxxxx 2. On workstation 2.1. I changed dynamic address on 0.0.0.0 in file C:\Program Files (x86)\ossec-agent\client.keys 051 senkov-pc 0.0.0.0 xxxxxxxxxxx On ossec server: #/var/ossec/bin/agent_control -la |grep senkov-pc ID: 051, Name: senkov-pc, IP: 0.0.0.0/0, Never connected 3. rids folder I removed all the files in file /var/ossec/queue/rids on ossec server and in C:\Program Files (x86)\ossec-agent\rids on the workstation 4. Start ossec 4.1./etc/init.d/ossec restart 4.2.started the agent on the workstation I don't see my agent in the list installed agents however the agent is installed on workstation and started /var/ossec/bin/list_agents-c |grep senkov-pc Agent log: 2018/11/13 11:48:59 ossec-agentd: INFO: Trying to connect to server 172.20.75.90, port 1514. 2018/11/13 11:48:59 INFO: Connected to 172.20.75.90 at address 172.20.75.90:1514, port 1514 2018/11/13 11:49:20 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '172.20.75.90'. 5. testing tcpdump # tcpdump -i eth0 host 172.20.75.104 and port 1514 -vvv tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 11:55:01.327672 IP (tos 0x0, ttl 128, id 20966, offset 0, flags [none], proto UDP (17), length101) senkov-pc.is01.dom.ru.56159 > is01sr048.alienvault.1514: [udp sum ok] UDP, length 73 Regard, Nikolay |
