<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class='hmmessage'>
<SPAN class=MsgBodyText>Hello,<BR><BR>I'm having problems regarding agent/server connections. The errors occur with Ossim installed via Installer 1.04, even when it is updated to 1.0.5 and 1.0.5p1.</SPAN><BR>
<SPAN class=MsgBodyText>I think there is a problem with the format of events sent from Snort to Server.<BR>Some of the messages I get from agent.log:<BR><BR>Conn [ERROR]: (104, 'Connection reset by peer')<BR>Conn [INFO]: Closing server connection..<BR><BR>Conn [ERROR]: (32, 'Broken pipe'<BR>Conn [INFO]: Closing server connection..<BR>Conn [ERROR]: Error receiving data from server<BR><BR>And these are the ones I get from server.log:<BR><BR>OSSIM-Debug: sim_session_read: error command null<BR>OSSIM-Message: Session Sensor : REMOVED<BR>OSSIM-Message: Removed IP: 10.200.1.166<BR>OSSIM-Message: Session Removed<BR>OSSIM-Debug: sim_server_session: After remove session: pid 14144. session: 8101b08<BR>OSSIM-Debug: sim_scheduler_backlogs_time_out: list is NULL<BR><BR><BR>OSSIM-Debug: sim_command_snort_event_scan: len/data: 237/8b3e730<BR>2008-08-27 09:19:30 OSSIM-Debug: sim_command_snort_event_scan: gzipdata type="detector" date="2008-08-27 06:57:09" snort_gid="1" snort_sid="1417" snort_rev="9" snort_classification="4" snort_priority="2" packet_type="raw" raw_payload=" 005056974108000423b002b481000010080045000055000040003e11827d 0ac80164ac1001dfbd8900a1004138623037020101040f35657276696430 7265355f35357265a12102047a501a8f02010002010030133011060d2b06 01020119040201028483250500 "<BR>OSSIM-Debug: FUC**** COMMAND: type="detector" date="2008-08-27 06:57:09" snort_gid="1" snort_sid="1417" snort_rev="9" snort_classification="4" snort_priority="2" packet_type="raw" raw_payload=" 005056974108000423b002b481000010080045000055000040003e11827d 0ac80164ac1001dfbd8900a1004138623037020101040f35657276696430 7265355f35357265a12102047a501a8f02010002010030133011060d2b06 01020119040201028483250500 "<BR><BR>OSSIM-Debug: sim_session_read: error command null<BR>OSSIM-Message: Session Sensor : REMOVED<BR>OSSIM-Message: Removed IP: 10.200.1.166<BR>OSSIM-Message: Session Removed<BR>OSSIM-Debug: sim_server_session: After remove session: pid 14144. session: 8124600<BR><BR>OSSIM-Debug: Attempt to insert event with sensor:10 and cid:23742 with 10<BR>OSSIM-Message: Unknown protocol send from Snort 255<BR>OSSIM-Debug: sim_organizer_snort_extra_data_insert: YES<BR>OSSIM-Debug: sim_organizer_correlation: BEGIN backlogs 0<BR>OSSIM-Debug: sim_organizer_correlation: END backlogs 0</SPAN><BR>
<SPAN class=MsgBodyText></SPAN> <BR>
<SPAN class=MsgBodyText>Thanks, Ben.<BR>
<BR><BR></SPAN><br /><hr />Get news, entertainment and everything you care about at Live.com. <a href='http://www.live.com/getstarted.aspx ' target='_new'>Check it out!</a></body>
</html>