# FreeBSD 10, jail, pf, ossec



## frankit60 (Aug 28, 2014)

Hello,
this is my todays problem:
Host with ip 10.10.10.1
Jail with ip 10.10.10.9
I installed OSSEC on the the host and the agent on the jail.
The agent can not communicate with the server
this is the agent log.

```
2014/08/28 18:00:55 ossec-agentd: INFO: Trying to connect to server (10.10.10.1:1514).
2014/08/28 18:00:55 ossec-agentd: INFO: Using IPv4 for: 10.10.10.1 .
2014/08/28 18:01:16 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.10.10.1'.
```
this is the `netstat -af inet` output.

```
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 10.10.10.9.15011       10.10.10.1.ssh         ESTABLISHED
tcp4       0      0 10.10.10.9.ssh         *.*                    LISTEN
udp4       0      0 10.10.10.9.40368       10.10.10.1.fujitsu-dtc
```
I think it's a firewall issue and this is the configuration of pf.

```
ext_if = "re0"
int_if = "em0"
local_net = "10.10.10/24"
web_server = "10.10.10.10"
web_ports = "{ http, https }"
udp_ports ="{ domain, ntp }"

ssh_server = "10.10.10.9"
ssh_port = " ssh "

table <ossec_fwtable> persist #ossec_fwtable

scrub in all

nat on $ext_if from $local_net to any -> $ext_if
rdr on $ext_if proto tcp from any to any port $web_ports -> $web_server
rdr on $ext_if proto tcp from any to any port $ssh_port -> $ssh_server

antispoof log quick for { $ext_if } inet

#block all
block in all
pass on $int_if all
pass out on $ext_if all

set skip on lo0

block in log quick from <ossec_fwtable>

pass quick proto tcp from any to $web_server port $web_ports
pass quick proto tcp from any to $ssh_server port $ssh_port

pass in on $int_if proto udp from $local_net to any port 1514
```
What did I do wrong?

Thanks 
Franco


----------



## SirDice (Aug 28, 2014)

It looks like the server part isn't running on the host. Instead of netstat(1), use sockstat(1) to see which processes or daemons have ports opened. And make sure you bind daemons to specific IP addresses. Or else they're going to try to bind to all IP addresses, including those from the host and other jails.


----------



## frankit60 (Aug 28, 2014)

This is the `sockstat` output

```
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
www      httpd      1618  3  tcp4   10.10.10.10:80        *:*
pippo    sshd       1394  3  tcp4   10.10.10.1:22         10.10.10.9:15011
pippo    sshd       1394  4  stream -> ??
root     sshd       1391  3  tcp4   10.10.10.1:22         10.10.10.9:15011
root     sshd       1391  5  stream -> ??
1002     ssh        1390  3  tcp4   10.10.10.9:15011      10.10.10.1:22
1002     sshd       1376  3  tcp4   10.10.10.9:22         78.134.xx.18:51102
1002     sshd       1376  4  stream -> ??
root     sshd       1373  3  tcp4   10.10.10.9:22         78.134.xx.18:51102
root     sshd       1373  5  stream -> ??
root     sshd       1313  3  tcp6   *:22                  *:*
root     sshd       1313  4  tcp4   *:22                  *:*
www      httpd      1265  3  tcp4   10.10.10.10:80        *:*
www      httpd      1263  3  tcp4   10.10.10.10:80        *:*
www      httpd      1262  3  tcp4   10.10.10.10:80        *:*
www      httpd      1261  3  tcp4   10.10.10.10:80        *:*
www      httpd      1260  3  tcp4   10.10.10.10:80        *:*
root     httpd      1258  3  tcp4   10.10.10.10:80        *:*
root     sshd       1253  3  tcp4   10.10.10.10:22        *:*
root     sshd       1112  3  tcp4   10.10.10.9:22         *:*
root     ossec-sysc 1071  3  dgram  -> /queue/ossec/queue
root     ossec-sysc 1071  5  dgram  -> /queue/ossec/queue
root     ossec-logc 1067  4  dgram  -> /queue/ossec/queue
ossec    ossec-agen 1063  4  dgram  /queue/ossec/queue
ossec    ossec-agen 1063  7  udp4   10.10.10.9:61193      10.10.10.1:1514
ossec    ossec-agen 1063  8  dgram  -> /usr/local/ossec-hids/queue/alerts/execq
root     ossec-exec 1059  4  dgram  /usr/local/ossec-hids/queue/alerts/execq
ossec    ossec-moni 953   4  dgram  -> /queue/ossec/queue
root     ossec-sysc 949   3  dgram  -> /queue/ossec/queue
root     ossec-sysc 949   5  dgram  -> /queue/ossec/queue
ossecr   ossec-remo 946   4  udp4   *:1514                *:*
ossecr   ossec-remo 946   5  dgram  -> /queue/ossec/queue
ossecr   ossec-remo 946   7  dgram  /queue/alerts/ar
root     ossec-logc 940   4  dgram  -> /queue/ossec/queue
ossec    ossec-anal 936   4  dgram  /queue/ossec/queue
ossec    ossec-anal 936   8  dgram  -> /queue/alerts/ar
ossec    ossec-anal 936   9  dgram  -> /usr/local/ossec-hids/queue/alerts/execq
root     ossec-exec 932   4  dgram  /usr/local/ossec-hids/queue/alerts/execq
root     ntpd       888   3  dgram  -> /var/run/logpriv
root     ntpd       888   20 udp4   *:123                 *:*
root     ntpd       888   21 udp6   *:123                 *:*
root     ntpd       888   22 udp4   78.134.xx.20:123      *:*
root     ntpd       888   23 udp6   fe80:1::eade:27ff:fe01:1e55:123 *:*
root     ntpd       888   24 udp4   10.10.10.1:123        *:*
root     ntpd       888   25 udp6   fe80:2::96de:80ff:fea7:539d:123 *:*
root     ntpd       888   26 udp6   ::1:123               *:*
root     ntpd       888   27 udp6   fe80:3::1:123         *:*
root     ntpd       888   28 udp4   127.0.0.1:123         *:*
root     ntpd       888   30 udp4   10.10.10.9:123        *:*
root     ntpd       888   31 udp4   10.10.10.10:123       *:*
root     syslogd    747   4  dgram  /var/run/log
root     syslogd    747   5  dgram  /var/run/logpriv
root     syslogd    747   6  udp6   *:514                 *:*
root     syslogd    747   7  udp4   *:514                 *:*
root     devd       604   4  stream /var/run/devd.pipe
root     devd       604   6  dgram  -> /var/run/logpriv
```


----------



## SirDice (Aug 29, 2014)

I've never used OSSEC but have you looked at the FAQ? 

http://ossec-docs.readthedocs.org/en/la ... -connected


----------



## frankit60 (Aug 29, 2014)

> The agent may not be using the correct IP address. Some systems with multiple IP addresses may not choose the correct one to communicate with the OSSEC manager. Using any or a CIDR address (192.168.1.0/24) for the agent may be one solution, and adjusting the system’s route settings is another.


I have used CIDR address,
This is the output for `root@jails:~ # /usr/local/ossec-hids/bin/manage_agents`

```
****************************************
* OSSEC HIDS v2.8 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: L

Available agents: 
   ID: 002, Name: jssh, IP: 10.10.10.0/24
```



> Every agent must be using a unique key. If 2 agents look like they’re coming from the same IP (possibly from a NAT gateway), then any or the CIDR address should be used to identify them on the manager.


For now I have only one agent.



> There may be a firewall blocking the OSSEC traffic, udp 1514 should be allowed to and from the manager.


I think that the pf configuration is ok.

Clearly in what I think there is something wrong


----------



## SirDice (Aug 29, 2014)

```
Available agents:
   ID: 002, Name: jssh, IP: 10.10.10.0/24
```
Are you sure that's supposed to be a network address? I would have expected the agent address 10.10.10.9/24.


----------



## frankit60 (Aug 29, 2014)

> Are you sure that's supposed to be a network address? I would have expected the agent address 10.10.10.9/24.



Ok, I have reconfig the agent, now `root@jails:~ # /usr/local/ossec-hids/bin/manage_agents`

```
****************************************
* OSSEC HIDS v2.8 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: L

Available agents: 
   ID: 003, Name: jssh, IP: 10.10.10.9/24

** Press ENTER to return to the main menu.
```

I imported the new key generated by the server, reboot, and the output from `jssh /home/pippo >less /usr/local/ossec-hids/logs/ossec.log` remain:

```
...
2014/08/29 17:04:58 ossec-agentd: INFO: Trying to connect to server (10.10.10.1:1514).
2014/08/29 17:04:58 ossec-agentd: INFO: Using IPv4 for: 10.10.10.1 .
2014/08/29 17:05:20 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.10.10.1'.
(END)
```


----------



## mecano (Sep 5, 2014)

What is your /usr/local/ossec-hids/etc/ossec.conf for the security/ossec-hids-server?


----------



## frankit60 (Sep 6, 2014)

```
<!-- OSSEC example config -->

<ossec_config>
  <client>
    <server-ip>10.10.10.1</server-ip>
  </client>

  <syscheck>
    <!-- Frequency that syscheck is executed -- default every 2 hours -->
    <frequency>7200</frequency>
    
    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
  </syscheck>

  <rootcheck>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  </rootcheck>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/authlog</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/secure</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/xferlog</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/maillog</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/www/logs/access_log</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/www/logs/error_log</location>
  </localfile>
</ossec_config>
```


----------



## frankit60 (Sep 6, 2014)

Sorry, I have posted the ossec-hids-client.conf

This is ossec-hids-server.conf


```
<!-- OSSEC example config -->

<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <email_to>xxxxxx@yyyyyyy.cc</email_to>
    <smtp_server>mail1.zzzzzzz.cc</smtp_server>
    <email_from>root@jails.kkkkkk.net.</email_from>
  </global>

  <rules>
    <include>rules_config.xml</include>
    <include>pam_rules.xml</include>
    <include>sshd_rules.xml</include>
    <include>telnetd_rules.xml</include>
    <include>syslog_rules.xml</include>
    <include>arpwatch_rules.xml</include>
    <include>symantec-av_rules.xml</include>
    <include>symantec-ws_rules.xml</include>
    <include>pix_rules.xml</include>
    <include>named_rules.xml</include>
    <include>smbd_rules.xml</include>
    <include>vsftpd_rules.xml</include>
    <include>pure-ftpd_rules.xml</include>
    <include>proftpd_rules.xml</include>
    <include>ms_ftpd_rules.xml</include>
    <include>ftpd_rules.xml</include>
    <include>hordeimp_rules.xml</include>
    <include>roundcube_rules.xml</include>
    <include>wordpress_rules.xml</include>
    <include>cimserver_rules.xml</include>
    <include>vpopmail_rules.xml</include>
    <include>vmpop3d_rules.xml</include>
    <include>courier_rules.xml</include>
    <include>web_rules.xml</include>
    <include>web_appsec_rules.xml</include>
    <include>apache_rules.xml</include>
    <include>nginx_rules.xml</include>
    <include>php_rules.xml</include>
    <include>mysql_rules.xml</include>
    <include>postgresql_rules.xml</include>
    <include>ids_rules.xml</include>
    <include>squid_rules.xml</include>
    <include>firewall_rules.xml</include>
    <include>cisco-ios_rules.xml</include>
    <include>netscreenfw_rules.xml</include>
    <include>sonicwall_rules.xml</include>
    <include>postfix_rules.xml</include>
    <include>sendmail_rules.xml</include>
    <include>imapd_rules.xml</include>
    <include>mailscanner_rules.xml</include>
    <include>dovecot_rules.xml</include>
    <include>ms-exchange_rules.xml</include>
    <include>racoon_rules.xml</include>
    <include>vpn_concentrator_rules.xml</include>
    <include>spamd_rules.xml</include>
    <include>msauth_rules.xml</include>
    <include>mcafee_av_rules.xml</include>
    <include>trend-osce_rules.xml</include>
    <include>ms-se_rules.xml</include>
    <!-- <include>policy_rules.xml</include> -->
    <include>zeus_rules.xml</include>
    <include>solaris_bsm_rules.xml</include>
    <include>vmware_rules.xml</include>
    <include>ms_dhcp_rules.xml</include>
    <include>asterisk_rules.xml</include>
    <include>ossec_rules.xml</include>
    <include>attack_rules.xml</include>
    <include>local_rules.xml</include>
  </rules>


  <syscheck>
    <!-- Frequency that syscheck is executed -- default every 20 hours -->
    <frequency>72000</frequency>
    
    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
  </syscheck>

  <rootcheck>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  </rootcheck>

  <global>
    <white_list>127.0.0.1</white_list>
    <white_list>10.10.10.9</white_list>
    <white_list>10.10.10.10</white_list>
  </global>

  <remote>
    <connection>secure</connection>
  </remote>

  <alerts>
    <log_alert_level>1</log_alert_level>
    <email_alert_level>7</email_alert_level>
  </alerts>

  <command>
    <name>host-deny</name>
    <executable>host-deny.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>  

  <command>
    <name>pf-block</name>
    <executable>pf.sh</executable>
    <expect>srcip</expect>
  </command>

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>  

  <command>
    <name>disable-account</name>
    <executable>disable-account.sh</executable>
    <expect>user</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>  


  <!-- Active Response Config -->
  <active-response>
    <!-- This response is going to execute the host-deny
       - command for every event that fires a rule with
       - level (severity) >= 6.
       - The IP is going to be blocked for  600 seconds.
      -->
    <command>host-deny</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
  </active-response>

  <active-response>
    <command>pf-block</command>
    <location>defined-agent</location>
    <agent_id>001</agent_id>
    <rules_group>authentication_failed,authentication_failures</rules_group>
  </active-response>

  <active-response>
    <!-- Firewall Drop response. Block the IP for
       - 600 seconds on the firewall (iptables,
       - ipfilter, etc).
      -->
    <command>firewall-drop</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>    
  </active-response>  

  <!-- Files to monitor (localfiles) -->

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/authlog</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/secure</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/xferlog</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/maillog</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/www/logs/access_log</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/www/logs/error_log</location>
  </localfile>
</ossec_config>
```


----------



## mecano (Sep 7, 2014)

I see you have a pass in rule but do you have a

```
pass out on $int_if proto udp from $local_net to 10.10.10.1 port 1514
```
rule?


----------



## mecano (Sep 7, 2014)

```
<rootcheck>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  </rootcheck>
```

should be


```
<rootcheck>
    <rootkit_files>/usr/local/ossec-hids/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/usr/local/ossec-hids/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  </rootcheck>
```

you must also change your 
	
	



```
<localfile>
```
, for example authlog is not right in default ossec.conf for FreeBSD, it should be auth.log
These shouldn't stop security/ossec-hids-server from running and agents from connecting though.

But not putting your 10.10.10.9 agent in the allowed-ips in remote secure like this, can prevents agent from connecting to server :

```
<remote>
    <connection>secure</connection>
    <allowed-ips>10.10.10.9</allowed-ips>
</remote>
```

Also define one agent at a time not a range of IP, add the agent on the server with the 10.10.10.9 address, forget about ip range masking like /24.
Extract the key, on the agent side add the key, restart server and agent.

What does the ossec.log on the server say ?


----------



## frankit60 (Sep 7, 2014)

Thanks @mecano, I applied the fixes that you suggested. This is the server configuration /usr/local/ossec-hids/etc/ossec.conf

```
<!-- OSSEC example config -->

<ossec_config>
 <global>
    <email_notification>yes</email_notification>
    <email_to>xxxxxx@yyyyyyy.cc</email_to>
    <smtp_server>mail1.zzzzzzz.cc</smtp_server>
    <email_from>root@jails.kkkkkk.net.</email_from>
  </global>

  <rules>
    <include>rules_config.xml</include>
    <include>pam_rules.xml</include>
    <include>sshd_rules.xml</include>
    <include>telnetd_rules.xml</include>
    <include>syslog_rules.xml</include>
    <include>arpwatch_rules.xml</include>
    <include>symantec-av_rules.xml</include>
    <include>symantec-ws_rules.xml</include>
    <include>pix_rules.xml</include>
    <include>named_rules.xml</include>
    <include>smbd_rules.xml</include>
    <include>vsftpd_rules.xml</include>
    <include>pure-ftpd_rules.xml</include>
    <include>proftpd_rules.xml</include>
    <include>ms_ftpd_rules.xml</include>
    <include>ftpd_rules.xml</include>
    <include>hordeimp_rules.xml</include>
    <include>roundcube_rules.xml</include>
    <include>wordpress_rules.xml</include>
    <include>cimserver_rules.xml</include>
    <include>vpopmail_rules.xml</include>
    <include>vmpop3d_rules.xml</include>
    <include>courier_rules.xml</include>
    <include>web_rules.xml</include>
    <include>web_appsec_rules.xml</include>
    <include>apache_rules.xml</include>
    <include>nginx_rules.xml</include>
    <include>php_rules.xml</include>
    <include>mysql_rules.xml</include>
    <include>postgresql_rules.xml</include>
    <include>ids_rules.xml</include>
    <include>squid_rules.xml</include>
    <include>firewall_rules.xml</include>
    <include>cisco-ios_rules.xml</include>
    <include>netscreenfw_rules.xml</include>
    <include>sonicwall_rules.xml</include>
    <include>postfix_rules.xml</include>
    <include>sendmail_rules.xml</include>
    <include>imapd_rules.xml</include>
    <include>mailscanner_rules.xml</include>
    <include>dovecot_rules.xml</include>
    <include>ms-exchange_rules.xml</include>
    <include>racoon_rules.xml</include>
    <include>vpn_concentrator_rules.xml</include>
    <include>spamd_rules.xml</include>
    <include>msauth_rules.xml</include>
    <include>mcafee_av_rules.xml</include>
    <include>trend-osce_rules.xml</include>
    <include>ms-se_rules.xml</include>
    <!-- <include>policy_rules.xml</include> -->
    <include>zeus_rules.xml</include>
    <include>solaris_bsm_rules.xml</include>
    <include>vmware_rules.xml</include>
    <include>ms_dhcp_rules.xml</include>
    <include>asterisk_rules.xml</include>
    <include>ossec_rules.xml</include>
    <include>attack_rules.xml</include>
    <include>local_rules.xml</include>
  </rules>


  <syscheck>
    <!-- Frequency that syscheck is executed -- default every 20 hours -->
    <frequency>72000</frequency>
    
    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
  </syscheck>

  <rootcheck>
    <rootkit_files>/usr/local/ossec-hids/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/usr/local/ossec-hids/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  </rootcheck>
  
  <global>
    <white_list>127.0.0.1</white_list>
    <white_list>10.10.10.9</white_list>
    <white_list>10.10.10.10</white_list>
  </global>

  <remote>
    <connection>secure</connection>
    <allowed-ips>10.10.10.9</allowed-ips>
  </remote>

  <alerts>
    <log_alert_level>1</log_alert_level>
    <email_alert_level>7</email_alert_level>
  </alerts>

  <command>
    <name>host-deny</name>
    <executable>host-deny.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>  

  <command>
    <name>pf-block</name>
    <executable>pf.sh</executable>
    <expect>srcip</expect>
  </command>

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>  

  <command>
    <name>disable-account</name>
    <executable>disable-account.sh</executable>
    <expect>user</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>  


  <!-- Active Response Config -->
  <active-response>
    <!-- This response is going to execute the host-deny
       - command for every event that fires a rule with
       - level (severity) >= 6.
       - The IP is going to be blocked for  600 seconds.
      -->
    <command>host-deny</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
  </active-response>

  <active-response>
    <command>pf-block</command>
    <location>defined-agent</location>
    <agent_id>001</agent_id>
    <rules_group>authentication_failed,authentication_failures</rules_group>
  </active-response>

  <active-response>
    <!-- Firewall Drop response. Block the IP for
       - 600 seconds on the firewall (iptables,
       - ipfilter, etc).
      -->
    <command>firewall-drop</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>    
  </active-response>  

  <!-- Files to monitor (localfiles) -->

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/security</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/xferlog</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/maillog</location>
  </localfile>

</ossec_config>
```
This is server log /usr/local/ossec-hids/logs/ossec.log

```
2014/09/07 16:20:50 ossec-testrule: INFO: Reading local decoder file.
2014/09/07 16:20:50 ossec-testrule: INFO: Started (pid: 904).
2014/09/07 14:20:50 ossec-maild: INFO: Started (pid: 924).
2014/09/07 16:20:50 ossec-execd: INFO: Started (pid: 928).
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading local decoder file.
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'symantec-ws_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'pure-ftpd_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'roundcube_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'wordpress_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'cimserver_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'vmpop3d_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'courier_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'web_appsec_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'apache_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'nginx_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'php_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'postgresql_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'cisco-ios_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'sonicwall_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'sendmail_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'mailscanner_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'dovecot_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'ms-exchange_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'racoon_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'vpn_concentrator_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'spamd_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'msauth_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'mcafee_av_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'trend-osce_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'ms-se_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'zeus_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'solaris_bsm_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'vmware_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'ms_dhcp_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'asterisk_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'attack_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Reading rules file: 'local_rules.xml'
2014/09/07 14:20:50 ossec-analysisd: INFO: Total rules enabled: '1258'
2014/09/07 14:20:50 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2014/09/07 14:20:50 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
2014/09/07 14:20:50 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics'
2014/09/07 14:20:50 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
2014/09/07 14:20:50 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
2014/09/07 14:20:50 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
2014/09/07 14:20:50 ossec-analysisd: INFO: White listing IP: '127.0.0.1'
2014/09/07 14:20:50 ossec-analysisd: INFO: White listing IP: '10.10.10.9'
2014/09/07 14:20:50 ossec-analysisd: INFO: White listing IP: '10.10.10.10'
2014/09/07 14:20:50 ossec-analysisd: INFO: 3 IPs in the white list for active response.
2014/09/07 14:20:50 ossec-analysisd: INFO: No Hostname in the white list for active reponse.
2014/09/07 14:20:50 ossec-analysisd: INFO: Started (pid: 932).
2014/09/07 14:20:50 ossec-remoted: INFO: Started (pid: 940).
2014/09/07 14:20:50 ossec-remoted: INFO: Started (pid: 942).
2014/09/07 16:20:50 ossec-rootcheck: System audit file not configured.
2014/09/07 14:20:50 ossec-remoted(4111): INFO: Maximum number of agents allowed: '256'.
2014/09/07 14:20:50 ossec-remoted(1410): INFO: Reading authentication keys file.
2014/09/07 14:20:50 ossec-remoted: INFO: No previous counter available for 'jssh'.
2014/09/07 14:20:50 ossec-remoted: INFO: Assigning counter for agent jssh: '0:0'.
2014/09/07 14:20:50 ossec-remoted: INFO: Assigning sender counter: 0:674
2014/09/07 14:20:50 ossec-monitord: INFO: Started (pid: 949).
2014/09/07 14:20:53 ossec-analysisd: INFO: Connected to '/queue/alerts/ar' (active-response queue)
2014/09/07 14:20:53 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' (exec queue)
2014/09/07 16:20:54 ossec-syscheckd: INFO: Started (pid: 945).
2014/09/07 16:20:54 ossec-rootcheck: INFO: Started (pid: 945).
2014/09/07 16:20:54 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2014/09/07 16:20:54 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2014/09/07 16:20:54 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.
2014/09/07 16:20:54 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2014/09/07 16:20:54 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2014/09/07 16:20:56 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'.
2014/09/07 16:20:56 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/auth.log'.
2014/09/07 16:20:56 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/security'.
2014/09/07 16:20:56 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/xferlog'.
2014/09/07 16:20:56 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'.
2014/09/07 16:20:56 ossec-logcollector: INFO: Started (pid: 936).
2014/09/07 16:21:56 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2014/09/07 16:21:56 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
2014/09/07 16:25:05 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).
2014/09/07 16:25:18 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database).
2014/09/07 16:25:38 ossec-rootcheck: INFO: Starting rootcheck scan.
2014/09/07 16:28:30 ossec-rootcheck: INFO: Ending rootcheck scan.
```

This is the client configuration:

```
<!-- OSSEC example config -->

<ossec_config>
  <client>
    <server-ip>10.10.10.1</server-ip>
  </client>

  <syscheck>
    <!-- Frequency that syscheck is executed -- default every 2 hours -->
    <frequency>7200</frequency>
    
    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
  </syscheck>

  <rootcheck>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  </rootcheck>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/security</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/xferlog</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/maillog</location>
  </localfile>

<!--
  <localfile>
    <log_format>apache</log_format>
    <location>/var/www/logs/access_log</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/www/logs/error_log</location>
  </localfile>
-->
</ossec_config>
```

and the client log:

```
2014/09/07 16:20:54 ossec-execd: INFO: Started (pid: 1055).
2014/09/07 16:20:54 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800
2014/09/07 16:20:54 ossec-agentd(1410): INFO: Reading authentication keys file.
2014/09/07 16:20:54 ossec-agentd: INFO: No previous counter available for 'jssh'.
2014/09/07 16:20:54 ossec-agentd: INFO: Assigning counter for agent jssh: '0:0'.
2014/09/07 16:20:54 ossec-agentd: INFO: Assigning sender counter: 0:972
2014/09/07 16:20:54 ossec-agentd: INFO: Started (pid: 1059).
2014/09/07 16:20:54 ossec-agentd: INFO: Server IP Address: 10.10.10.1
2014/09/07 16:20:54 ossec-agentd: INFO: Trying to connect to server (10.10.10.1:1514).
2014/09/07 16:20:54 ossec-agentd: INFO: Using IPv4 for: 10.10.10.1 .
2014/09/07 16:20:54 ossec-rootcheck: System audit file not configured.
2014/09/07 16:20:58 ossec-syscheckd: INFO: Started (pid: 1067).
2014/09/07 16:20:58 ossec-rootcheck: INFO: Started (pid: 1067).
2014/09/07 16:20:58 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2014/09/07 16:20:58 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2014/09/07 16:20:58 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.
2014/09/07 16:20:58 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2014/09/07 16:20:58 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2014/09/07 16:21:00 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'.
2014/09/07 16:21:00 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/auth.log'.
2014/09/07 16:21:00 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/security'.
2014/09/07 16:21:00 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/xferlog'.
2014/09/07 16:21:00 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'.
2014/09/07 16:21:00 ossec-logcollector: INFO: Started (pid: 1063).
2014/09/07 16:21:14 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.10.10.1'.
2014/09/07 16:21:17 ossec-agentd: INFO: Trying to connect to server (10.10.10.1:1514).
2014/09/07 16:21:17 ossec-agentd: INFO: Using IPv4 for: 10.10.10.1 .
2014/09/07 16:21:38 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.10.10.1'.
2014/09/07 16:21:58 ossec-agentd: INFO: Trying to connect to server (10.10.10.1:1514).
2014/09/07 16:21:58 ossec-agentd: INFO: Using IPv4 for: 10.10.10.1 .
2014/09/07 16:21:59 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2014/09/07 16:21:59 ossec-syscheckd: WARN: Process locked. Waiting for permission...
2014/09/07 16:22:19 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.10.10.1'.
2014/09/07 16:22:58 ossec-agentd: INFO: Trying to connect to server (10.10.10.1:1514).
2014/09/07 16:22:58 ossec-agentd: INFO: Using IPv4 for: 10.10.10.1 .
2014/09/07 16:23:12 ossec-logcollector: WARN: Process locked. Waiting for permission...
2014/09/07 16:23:19 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.10.10.1'.
2014/09/07 16:24:15 ossec-agentd: INFO: Trying to connect to server (10.10.10.1:1514).
2014/09/07 16:24:15 ossec-agentd: INFO: Using IPv4 for: 10.10.10.1 .
```


----------



## mecano (Sep 7, 2014)

Just to be sure what does `/usr/local/ossec-hids/bin/ossec-control status` output server side?


Are you monitoring your pf.conf rules in real time to witness some problems?
Open a screen or a terminal then 
`tcpdump -n -e -tttt -i pflog0`

restart server wait for it to finish starting then restart agent, do you see some blockings between 10.10.10.1 and 10.10.10.9?


Did you extract the agent key (server side), copy it then paste it into the agent (agent side)?
You need to use `/usr/local/ossec-hids/bin/manage-agents` on server then on agent side.
Then restart both.

(by the way you have a typo in 
	
	



```
<email_from>root@jails.kkkkkk.net.</email_from>
```
 there should be no ending dot).


----------



## frankit60 (Sep 7, 2014)

mecano said:
			
		

> Just to be sure what does `/usr/local/ossec-hids/bin/ossec-control status` output server side?



`root@jails:~ # /usr/local/ossec-hids/bin/ossec-control status`

```
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...
```



			
				mecano said:
			
		

> Are you monitoring your pf.conf rules in real time to witness some problems?
> Open a screen or a terminal then
> `tcpdump -n -e -tttt -i pflog0`



`root@jails:~ # tcpdump -n -e -tttt -i pflog0`

```
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes
capability mode sandbox enabled
2014-09-07 21:01:52.478963 rule 0..16777216/0(match): block in on em0: 78.134.xx.22 > 224.0.0.1: igmp query v3
2014-09-07 21:03:57.485510 rule 0..16777216/0(match): block in on em0: 78.134.xx.22 > 224.0.0.1: igmp query v3
2014-09-07 21:06:02.491980 rule 0..16777216/0(match): block in on em0: 78.134.xx.22 > 224.0.0.1: igmp query v3
2014-09-07 21:08:07.496351 rule 0..16777216/0(match): block in on em0: 78.134.xx.22 > 224.0.0.1: igmp query v3
2014-09-07 21:10:12.500649 rule 0..16777216/0(match): block in on em0: 78.134.xx.22 > 224.0.0.1: igmp query v3
2014-09-07 21:12:17.505896 rule 0..16777216/0(match): block in on em0: 78.134.xx.22 > 224.0.0.1: igmp query v3
2014-09-07 21:14:22.510282 rule 0..16777216/0(match): block in on em0: 78.134.xx.22 > 224.0.0.1: igmp query v3
2014-09-07 21:16:27.514742 rule 0..16777216/0(match): block in on em0: 78.134.xx.22 > 224.0.0.1: igmp query v3
```



			
				mecano said:
			
		

> Did you extract the agent key (server side), copy it then paste it into the agent (agent side)?


Yes I do.



			
				mecano said:
			
		

> (by the way you have a typo in
> 
> 
> 
> ...


I masked the domain name, the email is sent regularly.


----------



## mecano (Sep 7, 2014)

How did you set your jail IP?

You should tighten your pf rules, as you only want pf to allow ossec reports to server, define server IP as macro in /etc/pf.conf:

```
ossec="10.10.10.1"
```

Then change your rules to log ossec traffic:

```
pass in log on $int_if proto udp from $local_net to $ossec port 1514 keep state
pass out log on $int_if proto udp from $local_net to $ossec port 1514 keep state
```
to fire back active responses you'll also need

```
pass out on $int_if proto udp from $ossec port 1514 to $local_net keep state
```

Restart server, restart agent, monitor with tcpdump(), which IP did the agent self choose?


----------



## frankit60 (Sep 8, 2014)

Now this is my /etc/pf.conf...

```
ext_if = "re0"
int_if = "em0"
local_net = "10.10.10.0/24"
web_server = "10.10.10.10"
web_ports = "{ http, https }" 
udp_ports ="{ domain, ntp }"
ossec = "10.10.10.1"

ssh_server = "10.10.10.9"
ssh_port = " ssh "

table <ossec_fwtable> persist #ossec_fwtable

scrub in all

nat on $ext_if from $local_net to any -> $ext_if
rdr on $ext_if proto tcp from any to any port $web_ports -> $web_server
rdr on $ext_if proto tcp from any to any port $ssh_port -> $ssh_server

antispoof log quick for { $ext_if } inet

#block all
block in all
pass on $int_if all
pass out on $ext_if all

set skip on lo0

block in log quick from <ossec_fwtable>

pass quick proto tcp from any to $web_server port $web_ports
pass quick proto tcp from any to $ssh_server port $ssh_port

#pass in on $int_if proto udp from $local_net to any port 1514
pass in log on $int_if proto udp from $local_net to $ossec port 1514 keep state
pass out log on $int_if proto udp from $local_net to $ossec port 1514 keep state

pass out on $int_if proto udp from $ossec port 1514 to $local_net keep state
```
…and this is `tcpdump -n -e -tttt -i pflog0` output

```
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes
capability mode sandbox enabled
2014-09-08 08:12:42.640718 rule 0..16777216/0(match): block in on em0: 78.134.37.22 > 224.0.0.1: igmp query v3
2014-09-08 08:14:47.640247 rule 0..16777216/0(match): block in on em0: 78.134.37.22 > 224.0.0.1: igmp query v3
2014-09-08 08:16:52.640134 rule 0..16777216/0(match): block in on em0: 78.134.37.22 > 224.0.0.1: igmp query v3
2014-09-08 08:18:57.640242 rule 0..16777216/0(match): block in on em0: 78.134.37.22 > 224.0.0.1: igmp query v3
2014-09-08 08:21:02.640418 rule 0..16777216/0(match): block in on em0: 78.134.37.22 > 224.0.0.1: igmp query v3
```
There is nothing about ossec or 1514  :-(


----------



## mecano (Sep 8, 2014)

Change
	
	



```
nat on $ext_if from $local_net to any -> $ext_if
```
to
	
	



```
nat on $ext_if from $local_net to any -> ($ext_if)
```
and

```
pass in log on $int_if proto udp from $local_net to $ossec port 1514 keep state
pass out log on $int_if proto udp from $local_net to $ossec port 1514 keep state

pass out on $int_if proto udp from $ossec port 1514 to $local_net keep state
```
to

```
pass in log proto udp from any to any port 1514 keep state
pass out log proto udp from any to any port 1514 keep state
```
Reload `pfctl -f /etc/pf.conf`.
Relaunch ossec agent.
Monitor with `tcpdump`.
And… what does `pfctl -s state` say?


----------



## frankit60 (Sep 8, 2014)

After changing /etc/pf.conf and reloading the output from `pfctl -s state`:

```
No ALTQ support in kernel
ALTQ related functions disabled
all udp 78.134.xx.20:37194 -> 88.149.128.22:53       MULTIPLE:SINGLE
all tcp 10.10.10.9:22 (78.134.xx.20:22) <- 78.134.xx.18:50846       ESTABLISHED:ESTABLISHED
all udp 78.134.xx.20:123 -> 85.18.189.242:123       MULTIPLE:SINGLE
all tcp 10.10.10.9:22 (78.134.xx.20:22) <- 78.134.xx.18:50507       ESTABLISHED:ESTABLISHED
all udp 78.134.xx.20:55742 -> 88.149.128.22:53       MULTIPLE:SINGLE
```

This is output from `tcpdump -n -e -tttt -i pflog0`

```
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes
capability mode sandbox enabled
```
Nothing about UDP or port 1514 from 10.10.10.9, but there is TCP connection on port SSH.


----------



## mecano (Sep 8, 2014)

I'm not sure but could NAT plus antispoof do something here?

Also try to log all traffic, change to this:

```
antispoof log quick for { lo0 ($ext_if) }
block in log all
pass log on $int_if all # note that with this rule you are allowing all traffic on $int_if, so the web, ssh and ossec rules are not really of use
pass out log on $ext_if all
```

*C*ould you put your /etc/rc.conf?

Here I can make an OSSEC server in a jail communicate with an OSSEC agent on the host (reverse situation to yours).


----------



## frankit60 (Sep 8, 2014)

/etc/rc.conf

```
hostname="jails.xxxxxx.net"
keymap="it.iso.kbd"
ifconfig_re0="inet 78.134.xx.20 netmask 255.255.255.248"
ifconfig_em0="inet 10.10.10.1 netmask 255.255.255.0"
defaultrouter="78.134.xx.22"
sshd_enable="YES"
ntpd_enable="YES"
powerd_enable="YES"
dumpdev="NO"
zfs_enable="YES"
qjail_enable="YES"
gateway_enable="YES"
pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
pflog_flags=""                  # additional flags for pflogd startup

ossechids_enable="YES"

sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
```

/etc/pf.conf

```
ext_if = "re0"
int_if = "em0"
local_net = "10.10.10.0/24"
web_server = "10.10.10.10"
web_ports = "{ http, https }" 
udp_ports ="{ domain, ntp }"
ossec = "10.10.10.1"

ssh_server = "10.10.10.9"
ssh_port = " ssh "

table <ossec_fwtable> persist #ossec_fwtable

scrub in all

#nat on $ext_if from $local_net to any -> $ext_if
nat on $ext_if from $local_net to any -> ($ext_if)
rdr on $ext_if proto tcp from any to any port $web_ports -> $web_server
rdr on $ext_if proto tcp from any to any port $ssh_port -> $ssh_server

#antispoof log quick for { $ext_if } inet
antispoof log quick for { lo0 ($ext_if) } inet

#block all
block in log all
pass log on $int_if all
pass out log on $ext_if all

set skip on lo0

block in log quick from <ossec_fwtable>

pass quick proto tcp from any to $web_server port $web_ports
pass quick proto tcp from any to $ssh_server port $ssh_port

#pass in on $int_if proto udp from $local_net to any port 1514
#pass in log on $int_if proto udp from $local_net to $ossec port 1514 keep state
#pass out log on $int_if proto udp from $local_net to $ossec port 1514 keep state
#
#pass out on $int_if proto udp from $ossec port 1514 to $local_net keep state

pass in log proto udp from any to any port 1514 keep state
pass out log proto udp from any to any port 1514 keep state
```

`tcpdump -n -e -tttt -i pflog0`

```
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes
capability mode sandbox enabled
2014-09-08 18:53:19.983065 rule 6..16777216/0(match): pass out on re0: 78.134.xx.20.123 > 88.149.128.123.123: NTPv4, Client, length 48
2014-09-08 18:53:57.969546 rule 6..16777216/0(match): pass out on re0: 78.134.xx.20.123 > 85.18.189.242.123: NTPv4, Client, length 48
2014-09-08 18:53:59.745751 rule 4..16777216/0(match): block in on re0: 207.115.84.58.53 > 78.134.xx.20.49184: 4901 ServFail 0/0/0 (36)
2014-09-08 18:54:00.616268 rule 4..16777216/0(match): block in on re0: 192.168.1.99.138 > 192.168.1.255.138: NBT UDP PACKET(138)
2014-09-08 18:54:22.692183 rule 4..16777216/0(match): block in on re0: 78.134.xx.22 > 224.0.0.1: igmp query v3
2014-09-08 18:55:00.079253 rule 6..16777216/0(match): pass out on re0: 78.134.xx.20.53876 > 88.149.128.22.53: 59180+ A? jssh.xxxxxxx.net. (33)
2014-09-08 18:56:27.691740 rule 4..16777216/0(match): block in on re0: 78.134.xx.22 > 224.0.0.1: igmp query v3
2014-09-08 18:57:37.956741 rule 6..16777216/0(match): pass out on re0: 78.134.xx.20.123 > 88.149.128.123.123: NTPv4, Client, length 48
2014-09-08 18:57:41.662636 rule 4..16777216/0(match): block in on re0: 192.168.1.20.138 > 192.168.1.255.138: NBT UDP PACKET(138)
2014-09-08 18:57:41.662681 rule 4..16777216/0(match): block in on re0: 192.168.1.20.138 > 192.168.1.255.138: NBT UDP PACKET(138)
2014-09-08 18:58:32.691750 rule 4..16777216/0(match): block in on re0: 78.134.xx.22 > 224.0.0.1: igmp query v3
2014-09-08 18:58:43.094763 rule 4..16777216/0(match): block in on re0: 192.168.1.236.138 > 192.168.1.255.138: NBT UDP PACKET(138)
2014-09-08 18:58:43.094808 rule 4..16777216/0(match): block in on re0: 192.168.1.236.138 > 192.168.1.255.138: NBT UDP PACKET(138)
2014-09-08 18:59:43.516655 rule 4..16777216/0(match): block in on re0: 92.222.221.179.30000 > 78.134.xx.20.44988: Flags [S.], seq 5521xxxxxx62583, ack 2117926913, win 16384, options [mss 1446], length 0
2014-09-08 18:59:46.970441 rule 6..16777216/0(match): pass out on re0: 78.134.xx.20.123 > 212.45.144.3.123: NTPv4, Client, length 48
2014-09-08 19:00:00.069181 rule 6..16777216/0(match): pass out on re0: 78.134.xx.20.50552 > 88.149.128.22.53: 58063+ A? jssh.xxxxxxx.net. (33)
2014-09-08 19:00:37.691856 rule 4..16777216/0(match): block in on re0: 78.134.xx.22 > 224.0.0.1: igmp query v3
2014-09-08 19:02:31.988690 rule 6..16777216/0(match): pass out on re0: 78.134.xx.20.123 > 85.18.189.242.123: NTPv4, Client, length 48
2014-09-08 19:02:42.691845 rule 4..16777216/0(match): block in on re0: 78.134.xx.22 > 224.0.0.1: igmp query v3
2014-09-08 19:02:56.093114 rule 4..16777216/0(match): block in on re0: 192.168.1.194.54568 > 192.168.1.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
2014-09-08 19:02:56.134782 rule 4..16777216/0(match): block in on re0: 192.168.1.194.137 > 192.168.1.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
2014-09-08 19:02:56.136150 rule 4..16777216/0(match): block in on re0: 192.168.1.194.51815 > 192.168.1.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
2014-09-08 19:02:56.153651 rule 4..16777216/0(match): block in on re0: 192.168.1.194.138 > 192.168.1.255.138: NBT UDP PACKET(138)
2014-09-08 19:04:40.007422 rule 4..16777216/0(match): block in on re0: 116.255.208.102.6000 > 78.134.xx.20.1433: Flags [S], seq 817758208, win 16384, options [mss 1452], length 0
2014-09-08 19:04:47.692106 rule 4..16777216/0(match): block in on re0: 78.134.xx.22 > 224.0.0.1: igmp query v3
2014-09-08 19:06:03.638693 rule 4..16777216/0(match): block in on re0: 192.168.1.99.138 > 192.168.1.255.138: NBT UDP PACKET(138)
2014-09-08 19:06:09.956913 rule 6..16777216/0(match): pass out on re0: 78.134.xx.20.123 > 88.149.128.123.123: NTPv4, Client, length 48
2014-09-08 19:06:52.692179 rule 4..16777216/0(match): block in on re0: 78.134.xx.22 > 224.0.0.1: igmp query v3
```


----------



## mecano (Sep 8, 2014)

I'm not familiar with qjail but I see no mention of your jails IP in your /etc/rc.conf, something like

```
ifconfig_em0_alias0="inet 10.10.10.9 netmask 255.255.255.255"
```
is this normal?

10.10.10.1 is a local gateway to other boxes? 

what does `ifconfig -a` output?


----------



## frankit60 (Sep 8, 2014)

mecano said:
			
		

> I'm not familiar with qjail but I see no mention of your jails IP in your /etc/rc.conf, something like
> 
> ```
> ifconfig_em0_alias0="inet 10.10.10.9 netmask 255.255.255.255"
> ...



yes, qjail create alias on the fly at startup

`ifconfig -a`

```
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
	ether e8:de:27:01:1e:55
	inet 78.134.xx.20 netmask 0xfffffff8 broadcast 78.134.xx.23 
	inet6 fe80::eade:27ff:fe01:1e55%re0 prefixlen 64 scopeid 0x1 
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=4019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
	ether 94:de:80:a7:53:9d
	inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255 
	inet6 fe80::96de:80ff:fea7:539d%em0 prefixlen 64 scopeid 0x2 
	inet 10.10.10.9 netmask 0xffffffff broadcast 10.10.10.9 
	inet 10.10.10.10 netmask 0xffffffff broadcast 10.10.10.10 
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect
	status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
```


----------



## mecano (Sep 8, 2014)

frankit60 said:
			
		

> yes, qjail create alias on the fly at startup



Wow… I'm glad to use ezjail, putting things out of /etc/rc.conf is kinda tricky and misleading.



			
				frankit60 said:
			
		

> `ifconfig -a`
> 
> ```
> re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> ...



Jails are broadcasting to themselves? With a physical interface with aliases isn't there supposed to be some bridge facility?
If you were able to add the key to the agent it means there was a connection somehow, monitor with `tcpdump` and add the key to the agent again.


----------



## frankit60 (Sep 8, 2014)

mecano said:
			
		

> frankit60 said:
> 
> 
> 
> ...



This is the new /etc/jail.conf issue from version 10.
You can read about it in `man jail.conf`.
I read that from version 11 will be the only method used.

When I have time I try to connect a real machine.
Thanks for the support.


----------



## mecano (Sep 8, 2014)

frankit60 said:
			
		

> This is the new /etc/jail.conf issue from version 10.
> You can read about it in `man jail.conf`.
> I read that from version 11 will be the only method used.



Oh, thanks for the info, didn't know  



> When I have time I try to connect a real machine.
> Thanks for the support.



Wish I could have been of better help.
Still I don't get why you don't see the agent/server key validation through `tcpdump`, because when you are adding a key on the agent a connection is made to get the agent name and IP.
Also there is a requested feature for security/ossec-hids-agent being able to bind to an ip through ossec.conf, this lack can cause problems in multiple IPs environment (like in a host<>jails configuration) where a solution seems to add route. But this shouldn't be a problem in your case as the agent has one IP only.


----------



## mecano (Sep 15, 2014)

Just to let you know I got the server in host, client in jail configuration working.
It's kinda tricky because you need to put the jail ip as the server ip in the agent ossec.conf.


----------



## frankit60 (Sep 15, 2014)

Thanks Mecano,
I'm away for work. Next week I go back and try again.

Ciao
Franco


----------



## fred974 (Dec 1, 2014)

Hi mecano,

Would you mind sharing your agent configuration file with us? I use sysutils/ezjail and when I put the jail IP as the server IP in the agent ossec.conf, I get the following error: 
	
	



```
2014/12/01 13:37:41 ossec-syscheckd: socket busy ..
2014/12/01 13:37:42 ossec-logcollector: socket busy ..
2014/12/01 13:37:51 ossec-syscheckd: socket busy ..
2014/12/01 13:37:51 ossec-syscheckd(1224): ERROR: Error sending message to queue.
```
pf(4) is currently disabled with `pfctl -d`.


----------



## fred974 (Dec 31, 2014)

Hi frankit60,

I had the same problem and I managed to get it to work in the end..
Look at my thread https://forums.freebsd.org/threads/freebsd-10-ossec-jail-problem.49228/#post-277873.

* When communication is happening on the local machine, it will not use the ExtIf interface but lo0
* As a result pf firewall is not blocking the communication
* Explicitly set OSSEC server to use the host IP with the <local_ip> option
* `sockstat | grep ossec` and `tcpdump -n -i lo0` are your friends here.

By the way, what mecano suggested didn't work for me. I had to keep the FreeBSD host  IP as the server IP in the agent file.


mecano said:


> Just to let you know I got the server in host, client in jail configuration working.
> It's kinda tricky because you need to put the jail IP as the server IP in the agent ossec.conf.



Hope this helps. 

Fred


----------

