[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [Ossec-list] Multiple messages refused based on timestamp only
From: daniel.cid () gmail ! com (Daniel Cid)
Date: 2006-05-03 23:03:25
Message-ID: b92e6f200605031603r4e1bef31n616ae5b8398fed95 () mail ! gmail ! com
[Download RAW message or body]
Hi Nico,
This problem should be fixed in the just released 0.8beta version. Do you mind
testing it and letting us know how it goes?
Beta information:
http://mailman.underlinux.com.br/pipermail/ossec-list/2006-May/000107.html
Thanks,
Daniel
On 4/6/06, Nico De Ranter <nico at sonycom.com> wrote:
>
> Hello again,
>
> I'm trying to use ossec to correlate logs from a few linux-based
> firewalls. I ran an nmap scan through one of the firewalls to see
> whether ossec would pick it up. The nmap scan was done in Aggressive
> mode to generate a lof of traffic (simulating a worm outbreak I had a
> few weeks ago on that network). Unfortunately when I look at the ossec
> log on the server it seems almost all messages from the firewall agent
> were dropped due to a similar timestamp
>
> 2006/04/06 11:29:25 shared(1407): Duplicated message time from
> '10.21.59.190'.
> 2006/04/06 11:29:25 ossec-remoted(1214): Problem receiving message from
> 10.21.59.190.
> [...]
>
> Shouldn't ossec look both at the timestamp and the content of the
> message to decide whether the packet is a duplicate. Of the 437 messages
> the agent tried to send to the server only 2 got through. Is there a way
> to make the server accept all messages? Or can I do some preprossing on
> the agent to turn down the number of messages send to the server?
>
> Nico
>
> --
> Nico De Ranter
> Senior System Administrator
> Sony Service Center (NSCE)
> The Corporate Village, Da Vincilaan 7-D1
> B-1935 Zaventem, Belgium
> Telephone: +32 (0)2 700 86 41 Fax: +32 (0)2 700 86 22
>
>
> _______________________________________________
> ossec-list mailing list
> ossec-list at ossec.net
> http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic