I installed an ossec-hids agent on a freebsd PPC 12.2 using the binary package, via the pkg install ossec-hids-agent. Now I have a ossec-hids-agent-3.6.0_1 up and running, but it is not seen by the server which is seeing the other agents perfectly well (they are a bunch of freebsd intel based of different versions).
The server claims to be, via ossec-analysisd -V:
OSSEC HIDS v3.6.0 - OSSEC Foundation
If I run tcpdump, I see:
Code: Select all
tcpdump -X -i bge0 src host saguarone
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bge0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:53:22.716459 IP saguarone.23261 > EX.www.inpe.it.1514: UDP, length 73
0x0000: 4500 0065 dd1a 0000 4011 d475 d42d 907b E..e....@..u.-.{
0x0010: d42d 9021 5add 05ea 0051 6d3e 3a07 5383 .-.!Z....Qm>:.S.
0x0020: c89f c05b ad0f bf9e 5cfa b5ef e297 e23c ...[....\......<
0x0030: af52 dec8 030b 9556 9723 090b 52af 3bbd .R.....V.#..R.;.
0x0040: 2f44 e315 6a84 04ac 299a 193c a4ec dfc5 /D..j...)..<....
0x0050: 89c3 7e6c 95fc 62b5 311a 9d5a 9156 cc60 ..~l..b.1..Z.V.`
0x0060: ec3c 1be4 3a .<..:
18:53:24.325022 IP saguarone > EX.www.inpe.it: ICMP echo reply, id 60308, seq 0, length 64
0x0000: 4500 0054 3b23 0000 4001 768e d42d 907b E..T;#..@.v..-.{
0x0010: d42d 9021 0000 1112 eb94 0000 0082 c1ea .-.!............
0x0020: 0058 5591 0809 0a0b 0c0d 0e0f 1011 1213 .XU.............
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637 4567
18:53:25.324786 IP saguarone > EX.www.inpe.it: ICMP echo reply, id 60308, seq 1, length 64
0x0000: 4500 0054 3b25 0000 4001 768c d42d 907b E..T;%..@.v..-.{
0x0010: d42d 9021 0000 0fad eb94 0001 0082 c1eb .-.!............
0x0020: 006d 56df 0809 0a0b 0c0d 0e0f 1011 1213 .mV.............
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637 4567
18:53:26.332956 IP saguarone > EX.www.inpe.it: ICMP echo reply, id 60308, seq 2, length 64
0x0000: 4500 0054 3b27 0000 4001 768a d42d 907b E..T;'..@.v..-.{
0x0010: d42d 9021 0000 a0df eb94 0002 0082 c1ec .-.!............
0x0020: 007c c59b 0809 0a0b 0c0d 0e0f 1011 1213 .|..............
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637 4567
18:53:27.302640 IP saguarone > EX.www.inpe.it: ICMP echo reply, id 60308, seq 3, length 64
0x0000: 4500 0054 3b29 0000 4001 7688 d42d 907b E..T;)..@.v..-.{
0x0010: d42d 9021 0000 4b64 eb94 0003 0082 c1ed .-.!..Kd........
0x0020: 008c 1b05 0809 0a0b 0c0d 0e0f 1011 1213 ................
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637 4567
18:53:28.303678 IP saguarone > EX.www.inpe.it: ICMP echo reply, id 60308, seq 4, length 64
0x0000: 4500 0054 3b2b 0000 4001 7686 d42d 907b E..T;+..@.v..-.{
0x0010: d42d 9021 0000 ed73 eb94 0004 0082 c1ee .-.!...s........
0x0020: 0099 78e6 0809 0a0b 0c0d 0e0f 1011 1213 ..x.............
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637 4567
18:53:28.849327 IP saguarone.23261 > EX.www.inpe.it.1514: UDP, length 73
0x0000: 4500 0065 dd1b 0000 4011 d474 d42d 907b E..e....@..t.-.{
0x0010: d42d 9021 5add 05ea 0051 69f8 3a20 4cec .-.!Z....Qi.:.L.
0x0020: f64d 9cdd ec72 a534 abff dc44 463d 175b .M...r.4...DF=.[
0x0030: 5c73 99fc c350 2937 48ca 8942 dd7a 1b77 \s...P)7H..B.z.w
0x0040: b96b 00b2 093e f874 14b1 4932 9da5 08e2 .k...>.t..I2....
0x0050: 9a14 52fa 23cf 4672 f1d9 e0c4 a5e9 a90c ..R.#.Fr........
0x0060: d39c 4c22 d3 ..L".
18:53:32.893173 IP saguarone.23261 > EX.www.inpe.it.1514: UDP, length 73
0x0000: 4500 0065 dd1c 0000 4011 d473 d42d 907b E..e....@..s.-.{
0x0010: d42d 9021 5add 05ea 0051 5820 3a2d 8e5c .-.!Z....QX.:-.\
0x0020: 4c7d 0f1c a54c 3dd0 6571 1ed9 fd46 5e61 L}...L=.eq...F^a
0x0030: acda 7dc4 da32 4167 2486 c2fd 7224 3de2 ..}..2Ag$...r$=.
0x0040: fb2c c874 f9a2 79f5 8bfd 880b 46c8 4fd8 .,.t..y.....F.O.
0x0050: 56e4 390c 02ca ea46 08d2 da2f 2376 8c10 V.9....F.../#v..
0x0060: ce47 eebf 0a .G...
Thanks in advance,
Luciano.