argh ... sorry I forgot the subject
At first: THANKS FOR YOUR TIME AND EFFORT !
> -----Ursprüngliche Nachricht-----
> Von: Yoann Vandoorselaere <yoann.v prelude-ids.com>
> Gesendet: 06.11.07 08:13:59
> An: DeMoNsweb.de
> CC: prelude-userprelude-ids.org
> Betreff: Re: [prelude-user] TLS handshake failed: A
record packet with illegal version was received
>
> Hi!
>
> Le mercredi 24 octobre 2007 à 15:06 +0200, DeMoNsweb.de a
écrit :
> > I'm having enormous problems getting prelude
running. hopefully someone can help.
> > I'm using FreeBSD 6.2 STABLE and installed the
components using portinstall.
>
> [...]
>
> > I'm trying to use one prelude-manager server and
one sensor. The sensor should use prelude-lml ... at first.
> > I followed the installation steps according to the
documentation on www.prelude-ids.org.
> >
> > I receive the following output for
prelude-manager:
> >
> > # prelude-manager --debug -l stderr --listen
192.168.162.42:4690
> > 23 Oct 14:41:24 (process:36714) INFO: Subscribing
Normalize to active decoding plugins.
> > 23 Oct 14:41:24 (process:36714) INFO: Subscribing
db[default] to active reporting plugins.
> > 23 Oct 14:41:24 (process:36714) INFO: Subscribing
XmlMod[default] to active reporting plugins.
> > 23 Oct 14:41:24 (process:36714) INFO: Subscribing
TextMod[default] to active reporting plugins.
> > 23 Oct 14:41:24 (process:36714) INFO: Subscribing
Debug[default] to active reporting plugins.
> > 23 Oct 14:41:24 (process:36714) INFO: server
started (listening on 192.168.162.42 port 4690).
> >
> > and the following output for prelude-lml
> >
> > # prelude-lml
> > 23 Oct 14:45:15 (process:36743) INFO: PCRE plugin
loaded 393 rules.
> > 23 Oct 14:45:15 (process:36743) INFO: Monitoring
/var/log/messages through pcre[default]
> > 23 Oct 14:45:15 (process:36743) INFO: Monitoring
/var/log/auth.log through pcre[default]
> > 23 Oct 14:45:15 (process:36743) INFO: Connecting
to 192.168.162.42:4690 prelude Manager server.
> > 23 Oct 14:45:15 (process:36743) WARNING:
prelude-client: error starting prelude-client: TLS handshake
failed: A record packet with illegal version was received..
>
> What is the output on the Prelude-Manager side?
Like I stated above "output for prelude-lml".
After the waring on prelude-lml side, prelude-manager just
quits.
>
> > In order to register this sensor, please run:
> > prelude-admin register prelude-lml
"idmef:w" 192.168.162.42 --uid 0 --gid 0
> >
> > Profile 'prelude-lml' does not exist. In order to
create it, please run:
> > prelude-admin register prelude-lml
"idmef:w" <manager address> --uid 0 --gid
0.
> >
> > Of course i registered the sensor multiple times
 like
> > prelude-admin register prelude-lml
"idmef:w" 192.168.162.42 --uid 0 --gid 0
>
> Look good, what prelude-admin command did you use on
the Prelude-Manager
> side?
On Prelude-Manager side I used
# prelude-admin registration-server prelude-manager
after I created a profile (if it wasen't walready created by
"installer") using
# prelude-admin add prelude-manager --uid 0 --gid 0
>
> > As you can see, there seems to be a problem with
TLS.
> >
> > For prelude-lml I changed in
/usr/local/etc/prelude/default/client.conf on sensor
machine
> > server-addr = 192.168.162.42 ||
192.168.162.42:4690
>
> The default Prelude port is 4690, so what you are
basically saying with
> this configuration option is:
>
> Send events to 192.168.162.42:4690, or if it fail send
events to
> 192.168.162.42:4690
>
> This should be changed to:
> server-addr = 192.168.162.42
>
OK, thanks ... changed it
>
> > And for prelude-manager I changed
/usr/local/etc/prelude-manager/prelude-manager.conf on
manager machine
> > listen = 192.168.162.42
>
> [...]
>
> > Funny thing is, when I use prelude-lml on
localhost on the same
> > machine as prelude-manager, it connects at least
successfully, but I
> > dont' think it's checking the logs, first I used
> > only /var/log/messages.
>
> Can you confirm whether you are talking about a
different LML sensor
> here (ie: it work on the same machine, but won't work
on remote
> machine)?
>
Exactly, if I run both, Prelude-Manager AND Prelude-LML, on
the same machine using 127.0.0.1 or localhost
it works just fine - after re-registering the
"local" prelude-lml with the "local"
prelude-manager
Another thing I realized during my
"investigation": I tried installing vairous
prelude-manager - prelude-lml combinations on serveral
machines
and with some machine combinations it works just fine ...
there is somehow no deterministic behavior, if you know what
I mean.
Another thing, I used "LIBPRELUDE_TLS_DEBUG=10" to
see what might go wrong on prelude-lml side (I know lot of
output):
[...]
06 Nov 08:55:47 (process:61576) INFO: HSK[8148000]: CLIENT
HELLO was send [61 bytes]
06 Nov 08:55:47 (process:61576) INFO: BUF[HSK]: Peeked 0
bytes of Data
06 Nov 08:55:47 (process:61576) INFO: BUF[HSK]: Emptied
buffer
06 Nov 08:55:47 (process:61576) INFO: REC[8148000]: Sending
Packet[0] Handshake(22) with length: 61
06 Nov 08:55:47 (process:61576) INFO: WRITE: Will write 66
bytes to 9.
06 Nov 08:55:47 (process:61576) INFO: WRITE: wrote 66 bytes
to 9. Left 0 bytes. Total 66 bytes.
06 Nov 08:55:47 (process:61576) INFO: 0000 - 16 03 01 00 3d
01 00 00 39 03 01 47 30 2c 13 48
06 Nov 08:55:47 (process:61576) INFO: 0001 - 58 91 02 91 51
f4 1d 45 cd 4b 86 7b 50 db 5b 3b
06 Nov 08:55:47 (process:61576) INFO: 0002 - 41 42 4a e9 0b
91 49 1a 70 46 8c 00 00 12 00 2f
06 Nov 08:55:47 (process:61576) INFO: 0003 - 00 0a 00 05 00
04 00 32 00 13 00 66 00 33 00 16
06 Nov 08:55:47 (process:61576) INFO: 0004 - 01 00
06 Nov 08:55:47 (process:61576) INFO: REC[8148000]: Sent
Packet[1] Handshake(22) with length: 66
06 Nov 08:55:47 (process:61576) INFO: READ: Got 5 bytes from
9
06 Nov 08:55:47 (process:61576) INFO: READ: read 5 bytes
from 9
06 Nov 08:55:47 (process:61576) INFO: 0000 - 59 6f 75 20 61
06 Nov 08:55:47 (process:61576) INFO: RB: Have 0 bytes into
buffer. Adding 5 bytes.
06 Nov 08:55:47 (process:61576) INFO: RB: Requested 5 bytes
06 Nov 08:55:47 (process:61576) INFO: ASSERT:
gnutls_record.c:494
06 Nov 08:55:47 (process:61576) INFO: ASSERT:
gnutls_record.c:908
06 Nov 08:55:47 (process:61576) INFO: ASSERT:
gnutls_buffers.c:1196
06 Nov 08:55:47 (process:61576) INFO: ASSERT:
gnutls_handshake.c:949
06 Nov 08:55:47 (process:61576) INFO: ASSERT:
gnutls_handshake.c:2209
06 Nov 08:55:47 (process:61576) INFO: BUF[HSK]: Cleared Data
from buffer
06 Nov 08:55:47 (process:61576) INFO: REC: Sending
Alert[2|70] - Error in protocol version
[...]
>
> Regards,
>
> --
> Yoann Vandoorselaere | Responsable R&D / CTO |
PreludeIDS Technologies
> Tel: +33 (0)8 70 70 21 58 Fax: +33(0)4
78 42 21 58
> http://www.prelude-ids.com
>
>
ciao
David
____________________________________________________________
__________
XXL-Speicher, PC-Virenschutz, Spartarife & mehr: Nur im
WEB.DE Club!
Jetzt testen! http://produkt
e.web.de/club/?mc=021130
_______________________________________________
Prelude-user site list
Prelude-userprelude-ids.org
http://www.prelude-ids.org/mailman/listinfo/prelude-user
|