ASL 3.0 Feedback

mikeshinn · **Posted:** Wed Jul 20, 2011 3:16 pm

Quote:

Seems that anytime you change the ASL Web Settings and start resizing and moving things around that's when the loading issues start. I did clear my cache everytime before re-logging in to the asl gui.

Yep, the GUI team has been able to reproduce this and are working on a solution now, and should be ready later today. As soon as its available, we'll let everyone know.

It looks like the data is updating correctly, and then getting to the client correctly, and looks like all the windows with a refresh on open flag fail to refresh after. So we're working on it.

sophinfo · **Posted:** Wed Jul 20, 2011 3:32 pm

after a log time after asl -u command, i've finally a message :

Code:

Notice: corrupt serialized data at offset 1:  in lib/lib.PGUIValidate.php on li
Checking for updates..
  ASL version is current: 3.0                              [OK]
  APPINV rules are current: 201008021738                   [OK]
  CLAMAV rules are current: 201107191237                   [OK]
  GEOMAP rules are current: 201107191220                   [OK]

    Update failed for some reason, retrying with full debug information...
--2011-07-20 21:00:13--  https://userchanged:*password*@www.atomicorp.com/channels/                                                                                                                                                             asl-2.0/rules//modsec-201107191723.tar.gz
RÃ©solution de www.atomicorp.com... 74.208.155.133
Connexion vers www.atomicorp.com|74.208.155.133|:443...Ã©chec: Connexion terminÃ                                                                                                                                                             ©e par expiration du dÃ©lai d'attente.
Nouvel essai.

--2011-07-20 21:03:24--  (essai: 2)  https://userchanged:*password*@www.atomicorp.c                                                                                                                                                             om/channels/asl-2.0/rules//modsec-201107191723.tar.gz
Connexion vers www.atomicorp.com|74.208.155.133|:443...Ã©chec: Connexion terminÃ                                                                                                                                                             ©e par expiration du dÃ©lai d'attente.
Nouvel essai.

--2011-07-20 21:06:35--  (essai: 3)  https://userchanged:*password*@www.atomicorp.                                                                                                                                                              om/channels/asl-2.0/rules//modsec-201107191723.tar.gz
Connexion vers www.atomicorp.com|74.208.155.133|:443...Ã©chec: Connexion termin                                                                                                                                                              ©e par expiration du dÃ©lai d'attente.
Nouvel essai.

The word "password" appears in the logs, I have not changed, the real password is not displayed, is this normal?

mikeshinn · **Posted:** Wed Jul 20, 2011 3:39 pm

Quote:

Update failed for some reason, retrying with full debug information...
--2011-07-20 21:00:13-- https://userchanged:*password*@www.atom ... /channels/ asl-2.0/rules//modsec-201107191723.tar.gz
RÃ©solution de www.atomicorp.com... 74.208.155.133
Connexion vers www.atomicorp.com|74.208.155.133|:443...Ã©chec: Connexion terminÃ ©e par expiration du dÃ©lai d'attente.
Nouvel essai.

So that means your connection failed. Can you connect to ports 80 or 443 on www.atomicorp.com from the server?

Quote:

The word "password" appears in the logs, I have not changed, the real password is not displayed, is this normal?

Yes thats normal, and on purpose. :-)

sophinfo · **Posted:** Wed Jul 20, 2011 3:54 pm

mikeshinn wrote:

Quote:

Seems that anytime you change the ASL Web Settings and start resizing and moving things around that's when the loading issues start. I did clear my cache everytime before re-logging in to the asl gui.

Yep, the GUI team has been able to reproduce this and are working on a solution now, and should be ready later today. As soon as its available, we'll let everyone know.

It looks like the data is updating correctly, and then getting to the client correctly, and looks like all the windows with a refresh on open flag fail to refresh after. So we're working on it.

Ok iptables block 443 port, i fix this now asl -u works,

Code:

asl -u
Checking for updates..
  ASL version is current: 3.0                              [OK]
  APPINV rules are current: 201008021738                   [OK]
  CLAMAV rules are current: 201107191237                   [OK]
  GEOMAP rules are current: 201107191220                   [OK]
  Updating MODSEC to 201107191723: updated                 [OK]
ArrÃªt de httpd :                                          [  OK  ]
[Wed Jul 20 21:43:46 2011] [warn] module ssl_module is already loaded, skipping
DÃ©marrage de httpd :                                      [  OK  ]
  Updating OSSEC to 201107011206: updated                  [OK]

The web interface is speed, no loading problem but the security events still empty.

mikeshinn · **Posted:** Wed Jul 20, 2011 4:43 pm

Quote:

The web interface is speed, no loading problem but the security events still empty.

I dont recall if you answered this earlier, but do you see any mysql errors in your mysql log? That would cause a blank events window.

sophinfo · **Posted:** Wed Jul 20, 2011 5:06 pm

mikeshinn wrote:

Quote:

The web interface is speed, no loading problem but the security events still empty.

I dont recall if you answered this earlier, but do you see any mysql errors in your mysql log? That would cause a blank events window.

No problem in mysql.log, but since mysql is updated i executed the mysql_upgrade command. All websites work's on this server.

In dashboard windows, i can read :
Events since 24hours :0
Events since 30 day : 340

Attacks since 24 hours :0
Attacks since 30 days : 33

In Web Attaks windows i've this

So, i think that database is ok, asl can read a part of information.

Thanks for your help.

sophinfo · **Posted:** Thu Jul 21, 2011 5:44 am

I've found the problem, when i compare /var/ossec/etc/mysql/mysql.schema and my database, my table "alert " don't have "alertid", i added and since it's ok

mikeshinn · **Posted:** Thu Jul 21, 2011 10:46 am

Did you run a manual upgrade, or did you rely on the automatic upgrade (asl -u) to upgrade from 2.2 to 3.0?

DarkF@der · **Joined:** Thu May 07, 2009 12:46 pm **Posts:** 220

The new mysql and asl update fixed the problems for me and aslo the web-gui.
I have to say this asl-web-qui is very nice very good job!
I don't know what the problem was but it looks like mysql?

I have one question i think it's normal but what is this rule i see this many times in security events:

Code:

sudo: tortix : TTY=unknown ; PWD=/var/asl/www ; USER=root ; COMMAND=/var/asl/bin/asl --validate_gui

Anyway good work for the team!
I hope you guys can sleep now i think it was a long night and day!

Greetz

mikeshinn · **Posted:** Thu Jul 21, 2011 11:19 pm

Quote:

sudo: tortix : TTY=unknown ; PWD=/var/asl/www ; USER=root ; COMMAND=/var/asl/bin/asl --validate_gui

ASL operates via least privilege, so it doesnt run as root and it doesnt suid. Anything it needs to do with root privileges it will do via sudo so that its logged, and so that the ASL user is restricted to only doing things we know are save. This is just a log message of a command being run by ASL.

Kalimari · **Posted:** Tue Jul 26, 2011 11:25 am

Just updated asl with latest:

ossec-hids-server-2.6-1.el5.art.x86_64
asl-3.0.2-1.el5.art.x86_64
asl-web-3.0.2-1.el5.art.x86_64

Still have empty Reports>Login Failures (Top Stats & Web Attacks show results).

GUI still shows WAF updates are available after asl-u, clicking "Updates Available" just pops-up the asl -u window, same output as CLI.

Clear cache after each update and have tried on various browsers Firefox 5/Chrome 12/Safari 5.1.

mikeshinn · **Posted:** Tue Jul 26, 2011 12:42 pm

Quote:

Still have empty Reports>Login Failures (Top Stats & Web Attacks show results).

Reports are generated hourly based on the data available on the system. Once your system has events, the report will be generated for the previous hours events.

Kalimari · **Posted:** Wed Jul 27, 2011 12:16 pm

mikeshinn wrote:

Reports are generated hourly based on the data available on the system. Once your system has events, the report will be generated for the previous hours events.

Still have no data showing in Reports many hours later. Took a look with Firebug* in FF but as its flash cannot connect requests with page elements accurately enough to know if the data is called, but just failing to show. It's no biggie, but it doesn't appear in any browser so think it maybe a system/settings issue. There are no MySQL errors reported.

*Side note: running Firebug in ASL GUI makes Firefox performance drop significantly, this may be the cause of the slow/laggy issue others experienced

aus-city · **Joined:** Thu Oct 26, 2006 11:56 pm **Posts:** 665

Just some feedback. I been on asl 3 for ages since it came up in testing. Worked with Scott on getting the bugs fixed.

I am very happy with it. I don't have these slow load times in the web interface. It takes about 8 seconds to maybe 10 and all the windows are open.

One server is quad 3 GHz centos 5.6 x64, the other is 3 GHz celeron centos 6.0 i686.

I only use firefox and safari to access an it's great.

Cheers,
David

ASL 3.0 Feedback

Who is online