From rbenq at hotmail.com Fri Aug 29 12:12:36 2008 From: rbenq at hotmail.com (Ricardo Benq) Date: Fri, 29 Aug 2008 12:12:36 +0000 Subject: [Pkg-ossim-devel] agent/server connection problem Message-ID: Hello,I'm having problems regarding agent/server connections. The errors occur with Ossim installed via Installer 1.04, even when it is updated to 1.0.5 and 1.0.5p1. I think there is a problem with the format of events sent from Snort to Server.Some of the messages I get from agent.log:Conn [ERROR]: (104, 'Connection reset by peer')Conn [INFO]: Closing server connection..Conn [ERROR]: (32, 'Broken pipe'Conn [INFO]: Closing server connection..Conn [ERROR]: Error receiving data from serverAnd these are the ones I get from server.log:OSSIM-Debug: sim_session_read: error command nullOSSIM-Message: Session Sensor : REMOVEDOSSIM-Message: Removed IP: 10.200.1.166OSSIM-Message: Session RemovedOSSIM-Debug: sim_server_session: After remove session: pid 14144. session: 8101b08OSSIM-Debug: sim_scheduler_backlogs_time_out: list is NULLOSSIM-Debug: sim_command_snort_event_scan: len/data: 237/8b3e7302008-08-27 09:19:30 OSSIM-Debug: sim_command_snort_event_scan: gzipdata type="detector" date="2008-08-27 06:57:09" snort_gid="1" snort_sid="1417" snort_rev="9" snort_classification="4" snort_priority="2" packet_type="raw" raw_payload=" 005056974108000423b002b481000010080045000055000040003e11827d 0ac80164ac1001dfbd8900a1004138623037020101040f35657276696430 7265355f35357265a12102047a501a8f02010002010030133011060d2b06 01020119040201028483250500 "OSSIM-Debug: FUC**** COMMAND: type="detector" date="2008-08-27 06:57:09" snort_gid="1" snort_sid="1417" snort_rev="9" snort_classification="4" snort_priority="2" packet_type="raw" raw_payload=" 005056974108000423b002b481000010080045000055000040003e11827d 0ac80164ac1001dfbd8900a1004138623037020101040f35657276696430 7265355f35357265a12102047a501a8f02010002010030133011060d2b06 01020119040201028483250500 "OSSIM-Debug: sim_session_read: error command nullOSSIM-Message: Session Sensor : REMOVEDOSSIM-Message: Removed IP: 10.200.1.166OSSIM-Message: Session RemovedOSSIM-Debug: sim_server_session: After remove session: pid 14144. session: 8124600OSSIM-Debug: Attempt to insert event with sensor:10 and cid:23742 with 10OSSIM-Message: Unknown protocol send from Snort 255OSSIM-Debug: sim_organizer_snort_extra_data_insert: YESOSSIM-Debug: sim_organizer_correlation: BEGIN backlogs 0OSSIM-Debug: sim_organizer_correlation: END backlogs 0 Thanks, Ben. _________________________________________________________________ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.alioth.debian.org/pipermail/pkg-ossim-devel/attachments/20080829/fba9a8e2/attachment.htm