Email lists > Prelude Hybrid IDS > Re: [prelude-user] TLS handshake failed: A record packet with illegal version was received > Re: [prelude-user] TLS handshake failed: A record packet with illegal version was received

Re: [prelude-user] TLS handshake failed: A record packet with illegal version was received




This post if a part of  this thread

2007-11-06 04:03:26
Re: TLS handshake failed: A record packet with illegal version was received 
Le mardi 06 novembre 2007 à 10:46 +0100, DeMoNsweb.de a
écrit :
> > > I'm trying to use one prelude-manager server
and one sensor. The sensor should use prelude-lml ... at
first.
> > > I followed the installation steps according
to the documentation on www.prelude-ids.org.
> > > 
> > > I receive the following output for
prelude-manager:
> > > 
> > > # prelude-manager --debug -l stderr --listen
192.168.162.42:4690
> > > 23 Oct 14:41:24 (process:36714) INFO:
Subscribing Normalize to active decoding plugins.
> > > 23 Oct 14:41:24 (process:36714) INFO:
Subscribing db[default] to active reporting plugins.
> > > 23 Oct 14:41:24 (process:36714) INFO:
Subscribing XmlMod[default] to active reporting plugins.
> > > 23 Oct 14:41:24 (process:36714) INFO:
Subscribing TextMod[default] to active reporting plugins.
> > > 23 Oct 14:41:24 (process:36714) INFO:
Subscribing Debug[default] to active reporting plugins.
> > > 23 Oct 14:41:24 (process:36714) INFO: server
started (listening on 192.168.162.42 port 4690).
> > > 
> > > and the following output for prelude-lml
> > > 
> > > # prelude-lml
> > > 23 Oct 14:45:15 (process:36743) INFO: PCRE
plugin loaded 393 rules.
> > > 23 Oct 14:45:15 (process:36743) INFO:
Monitoring /var/log/messages through pcre[default]
> > > 23 Oct 14:45:15 (process:36743) INFO:
Monitoring /var/log/auth.log through pcre[default]
> > > 23 Oct 14:45:15 (process:36743) INFO:
Connecting to 192.168.162.42:4690 prelude Manager server.
> > > 23 Oct 14:45:15 (process:36743) WARNING:
prelude-client: error starting prelude-client: TLS handshake
failed: A record packet with illegal version was received..
> > 
> > What is the output on the Prelude-Manager side?
> 
> Like I stated above "output for prelude-lml".
After the waring on
> prelude-lml side, prelude-manager just quits.

Prelude-Manager should print information concerning agents
connection /
disconnection, so you probably have something after the
following log: 

"INFO: server started (listening on 192.168.162.42 port
4690)."


> > > In order to register this sensor, please run:
> > > prelude-admin register prelude-lml
"idmef:w" 192.168.162.42 --uid 0 --gid 0
> > > 
> > > Profile 'prelude-lml' does not exist. In
order to create it, please run:
> > > prelude-admin register prelude-lml
"idmef:w" <manager address> --uid 0 --gid 0.
> > > 
> > > Of course i registered the sensor multiple
times 
like
> > > prelude-admin register prelude-lml
"idmef:w" 192.168.162.42 --uid 0 --gid 0
> > 
> > Look good, what prelude-admin command did you use
on the Prelude-Manager
> > side?
> 
> On Prelude-Manager side I used
> 
> # prelude-admin registration-server prelude-manager
> 
> after I created a profile (if it wasen't walready
created by "installer") using
> 
> # prelude-admin add prelude-manager --uid 0 --gid 0

Look good.

[...]

> > > Funny thing is, when I use prelude-lml on
localhost on the same
> > > machine as prelude-manager, it connects at
least successfully, but I
> > > dont' think it's checking the logs, first I
used
> > > only /var/log/messages.
> > 
> > Can you confirm whether you are talking about a
different LML sensor
> > here (ie: it work on the same machine, but won't
work on remote
> > machine)?
> > 
> 
> Exactly, if I run both, Prelude-Manager AND
Prelude-LML, on the same machine using 127.0.0.1 or
localhost
> it works just fine - after re-registering the
"local" prelude-lml with the "local"
prelude-manager
> 
> Another thing I realized during my
"investigation": I tried installing vairous
prelude-manager - prelude-lml combinations on serveral
machines
> and with some machine combinations it works just fine
... there is somehow no deterministic behavior, if you know
what I mean.
> 
> Another thing, I used
"LIBPRELUDE_TLS_DEBUG=10" to see what might go
wrong on prelude-lml side (I know lot of output):

[...]

Thanks for the GnuTLS session dump! 

Could you provide me with the GnuTLS version used on the
Prelude-LML
machine, as well as the GnuTLS version in use on the
Prelude-Manager
machine?

Thanks,

-- 
Yoann Vandoorselaere | Responsable R&D / CTO |
PreludeIDS Technologies
Tel: +33 (0)8 70 70 21 58                  Fax: +33(0)4 78
42 21 58
http://www.prelude-ids.com


_______________________________________________
Prelude-user site list
Prelude-userprelude-ids.org
http://www.prelude-ids.org/mailman/listinfo/prelude-user

about | contact  Other archives ( Real Estate discussion Medical topics )